Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BCompare-5.0.5.30614.exe

Overview

General Information

Sample name:BCompare-5.0.5.30614.exe
Analysis ID:1592373
MD5:5f5d610da3aa05fd1097ef63223b1aad
SHA1:200b7da822bd87d7e1e1f372acb71ae26c5b2e2b
SHA256:6512d423dd07510507e77c68d1805f6b8d10fd7d5e88e4630fbce0922c1f8bee
Infos:

Detection

Score:15
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Found direct / indirect Syscall (likely to bypass EDR)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • BCompare-5.0.5.30614.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\BCompare-5.0.5.30614.exe" MD5: 5F5D610DA3AA05FD1097EF63223B1AAD)
    • BCompare-5.0.5.30614.tmp (PID: 7592 cmdline: "C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp" /SL5="$20486,27293175,1148416,C:\Users\user\Desktop\BCompare-5.0.5.30614.exe" MD5: A25B91D7630476A0FD62AF6290460D8C)
      • BCompare.exe (PID: 7300 cmdline: "C:\Program Files\Beyond Compare 5\BCompare.exe" MD5: FCCFCBF8770ADB5B202955DDC140FA2D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files\Beyond Compare 5\is-0TV5D.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files\Beyond Compare 5\is-B0TDO.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Sigma Signatures

      Sigma detected: Classes Autorun Keys Modification
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {812BC6B5-83CF-4AD9-97C1-6C60C8D025C5}, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp, ProcessId: 7592, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Beyond Compare 5\(Default)

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: BCompare-5.0.5.30614.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.LICENSE AGREEMENTYour use of Beyond Compare is governed by the following Terms and Conditions:Acceptance of License AgreementYou ("Customer") should carefully read the following terms and conditions before using Beyond Compare 5 (the "Software"). Unless you have a different license agreement signed by Scooter Software your use of this software indicates your agreement to these terms and conditions. If you do not accept all of these terms and conditions you must cease using the Software immediately.CopyrightCustomer acknowledges that the Software License Key and accompanying user documentation ("Documentation") are copyrighted works owned by Scooter Software and that Customer has no rights in the foregoing except as expressly granted herein.Free 30-Day TrialThis is not free software. Scooter Software hereby grants you a non-exclusive non-transferable limited license to use the Software free of charge for a period of thirty (30) days. Use of the Software beyond the thirty-day (30-day) trial period requires the purchase of a License Key as described below. Use of the Software beyond the thirty-day (30-day) trial period without purchase of a License Key is a violation of U.S. and international copyright laws.License KeyA unique key that will allow you to use the Software beyond the thirty-day (30-day) free trial period ("License Key") may be purchased from the Scooter Software website which is currently https://www.scootersoftware.com. A License Key may be purchased for single or multiple users all users at a named site or an entire enterprise. A License Key is further categorized by feature set (Standard Edition or Pro Edition). A price list on the Scooter Software website details fees for all license options. Upon purchase of a License Key Scooter Software hereby grants you a non-exclusive license to use the Software with the applicable feature set as follows: Per-User License Key: A Per-User License Key may be purchased for a specific quantity of users. Each user of the total quantity may be either (a) a person who has access to the Software on any number of computers or (b) a computer on which the Software will be installed for use by any number of persons one at a time while physically present at the computer. Each person so licensed must be the Customer an employee of the Customer an employee of a Customer's subsidiary company or a third party consultant retained by the Customer to perform information technology functions (each a "Third Party") to use the Software solely for Customer's internal business operations and benefit and for no other purpose whatsoever. Customer shall ensure that such Third Party complies with the terms of this License Agreement and will be responsible for any breach by such Third Party. Site
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.LICENSE AGREEMENTYour use of Beyond Compare is governed by the following Terms and Conditions:Acceptance of License AgreementYou ("Customer") should carefully read the following terms and conditions before using Beyond Compare 5 (the "Software"). Unless you have a different license agreement signed by Scooter Software your use of this software indicates your agreement to these terms and conditions. If you do not accept all of these terms and conditions you must cease using the Software immediately.CopyrightCustomer acknowledges that the Software License Key and accompanying user documentation ("Documentation") are copyrighted works owned by Scooter Software and that Customer has no rights in the foregoing except as expressly granted herein.Free 30-Day TrialThis is not free software. Scooter Software hereby grants you a non-exclusive non-transferable limited license to use the Software free of charge for a period of thirty (30) days. Use of the Software beyond the thirty-day (30-day) trial period requires the purchase of a License Key as described below. Use of the Software beyond the thirty-day (30-day) trial period without purchase of a License Key is a violation of U.S. and international copyright laws.License KeyA unique key that will allow you to use the Software beyond the thirty-day (30-day) free trial period ("License Key") may be purchased from the Scooter Software website which is currently https://www.scootersoftware.com. A License Key may be purchased for single or multiple users all users at a named site or an entire enterprise. A License Key is further categorized by feature set (Standard Edition or Pro Edition). A price list on the Scooter Software website details fees for all license options. Upon purchase of a License Key Scooter Software hereby grants you a non-exclusive license to use the Software with the applicable feature set as follows: Per-User License Key: A Per-User License Key may be purchased for a specific quantity of users. Each user of the total quantity may be either (a) a person who has access to the Software on any number of computers or (b) a computer on which the Software will be installed for use by any number of persons one at a time while physically present at the computer. Each person so licensed must be the Customer an employee of the Customer an employee of a Customer's subsidiary company or a third party consultant retained by the Customer to perform information technology functions (each a "Third Party") to use the Software solely for Customer's internal business operations and benefit and for no other purpose whatsoever. Customer shall ensure that such Third Party complies with the terms of this License Agreement and will be responsible for any breach by such Third Party. Site
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\PackersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\unins000.datJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-JQNIL.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-4MHOG.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-B8GAS.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-C1RH0.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-GGN2U.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-K6QSQ.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-7ONVI.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-EC3JI.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-BS8MP.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-C1132.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-B0TDO.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-0TV5D.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-FDK6U.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-8736U.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-NUJ04.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-RE1S8.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-N3K06.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-7NT86.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\unins000.msgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeyondCompare5_is1Jump to behavior
      Source: BCompare-5.0.5.30614.exeStatic PE information: certificate valid
      Source: unknownHTTPS traffic detected: 72.32.90.250:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: BCompare-5.0.5.30614.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Projects\WinRAR\rar\build\unrardll64\Release\UnRAR64.pdb source: BCompare.exe, 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmp, is-EC3JI.tmp.1.dr
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6634614C FindFirstFileW,FindFirstFileW,free,6_2_6634614C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158A190 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,6_2_00007FFE1158A190
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115AE080 FindFirstFileExA,6_2_00007FFE115AE080
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then movzx eax, byte ptr [rsp+rcx+20h]6_2_6643E660
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then add rbp, 10h6_2_66444670
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov edx, dword ptr [rsp+40h]6_2_66444670
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov r10, qword ptr [r11-08h]6_2_66476410
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov dword ptr [rax+78h], edx6_2_66472260
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov rax, r86_2_6646A330
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then inc edx6_2_6646A1C0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then movzx eax, byte ptr [r15+rsi]6_2_664621A0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov qword ptr [rcx], rbx6_2_66476ED0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov ecx, dword ptr [rdi+70h]6_2_6646EA10
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov rax, qword ptr [rdi+40h]6_2_6643EAB0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov byte ptr [rsp+70h], bpl6_2_6643EAB0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov byte ptr [rax-01h], bl6_2_66444B00
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov rdx, rsi6_2_664773E0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then movzx eax, byte ptr [rcx]6_2_66443F60
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov r9d, ebx6_2_66469FE0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov rbx, rdi6_2_66475FF0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov r9, qword ptr [rdi+40h]6_2_6646DB70
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then add rcx, rcx6_2_66461B00
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then movzx eax, byte ptr [rdx]6_2_6646B840
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 4x nop then mov qword ptr [rsp+rax*8+30h], FFFFFFFFFFFFFFFFh6_2_6646B840
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /checkupdates.php?product=bc5&minor=0&maint=5&auth=30.15&build=30614&edition=prodebug&cpuarch=x86_64&platform=win32&lang=silent HTTP/1.1Accept: */*User-Agent: BeyondCompare/5.0 (Windows NT 10.0; Win64; x64)Host: www.scootersoftware.comConnection: Keep-AliveCache-Control: no-cache
      Source: global trafficDNS traffic detected: DNS query: www.scootersoftware.com
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: BCompare.exe, 00000006.00000002.2967105677.00000286A39C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOSHA256CodeSigningCA.crl0w
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000002.2186041323.000000000039C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://gnuwin32.sourceforge.net
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://ocsp.comodoca.com0
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0&
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://ocsp.sectigo.com0
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: http://ocsp.sectigo.com0&
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A145F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/chart03H
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/chartDrawing
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A145F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/main03H
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/drawingml/spreadsheetDrawing
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/customProperties
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/customXml
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/customXmlDataProps
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/docPropsVTypes
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/extendedProperties
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/chart
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/chartUserShapes
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/chartsheet
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/comments
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/connections
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A13B5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customProperties
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customXml
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/customXmlProps
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/dialogsheet
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/drawing
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A13B5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/extendedProperties
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/externalLink
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/externalLinkPath
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/hyperlink
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/image
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/metadata/thumbnail
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocument
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/oleObject
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheDefinition
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/pivotTable
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/printerSettings
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/queryTable
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStrings
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/sheetMetadata
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/styles
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/table
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/tableSingleCells
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/theme
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/worksheet
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/xmlMaps
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/spreadsheetml/
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/ooxml/spreadsheetml/mainx64
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000009C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903#SignedProperties
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.1.1#
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.1.1#SignedProperties
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#BER
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#CER
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#DER
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#PER
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#SignedProperties
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.2.2#XER
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.3.2#
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/01903/v1.4.1#
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/02231/TSLTag
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/02231/v1.1.1#
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/02231/v2#
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/02231/v2#SH
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/02231/v2/additionaltypes#
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/19612/TSLTag
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/ACA
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/AdESGeneration
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/AdESValidation
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/Archiv
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/Archiv/nothavingPKIid
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/CA/PKC
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/CA/QC
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/Certstatus/CRL
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/Certstatus/CRL/QC
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/EDS
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/EDS/Q
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/EDS/REM
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/EDS/REM/Q
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/IdV
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/IdV/nothavingPKIid
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/KEscrow
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/KEscrow/nothavingPKIid
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/NationalRootCA-QC
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/PPwd
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/PPwd/nothavingPKIid
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/PSES
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/PSES/Q
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/QESValidation/Q
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/RA
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/RA/nothavingPKIid
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/RemoteQSCDManagement/Q
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/SignaturePolicyAuthority
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/TLIssuer
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/TSA
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QC
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/Svctype/unspecified
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevel
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevelUH
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevelUWVSH
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/TrustedList/TSLType/EUgeneric
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://uri.etsi.org/TrstSvc/TrustedList/TSLType/EUlistofthelists
      Source: is-EC3JI.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.ebics.org/H003
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.ghisler.com/plugins.htm
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000002.2186041323.000000000039C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.gnu.org/software/patch/patch.htmlDVarFileInfo$
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000009C1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A145F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc3075.txt
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000009C1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A145F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ietf.org/rfc/rfc3275.txt
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.totalcmd.net/directory/packer.html
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1360000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000000.2141040356.0000000002908000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.xpdfreader.com/index.html
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://x.ss2.us/x.cer
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://api.dropbox.com/oauth2/token?
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://api.dropboxapi.com/
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://api.dropboxapi.com/2/
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://content.dropboxapi.com/2/files/
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://content.dropboxapi.com/2/files/download
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://ec.europa.eu/tools/lotl/eu-lotl.xml
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token
      Source: BCompare-5.0.5.30614.exeString found in binary or memory: https://scootersoftware.com/kb/netsetupSetupU
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drString found in binary or memory: https://sectigo.com/CPS0
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.dropbox.com/oauth2/authorize?response_type=code&token_access_type=offline&client_id=ftp1
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007F87B000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003720000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000000.1693345022.00000000005D1000.00000020.00000001.01000000.00000004.sdmp, BCompare-5.0.5.30614.tmp.0.drString found in binary or memory: https://www.innosetup.com/
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007F87B000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003720000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000000.1693345022.00000000005D1000.00000020.00000001.01000000.00000004.sdmp, BCompare-5.0.5.30614.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2181663945.000000000281B000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2964266512.00000286A2FFA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000002.2187193317.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.1825550777.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2184346123.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2184396439.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2184396439.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2180501409.00000000038D2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com.
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.1821334331.0000000003660000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2181663945.00000000028CC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000002.2186041323.000000000039C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.2191926141.000000000327C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/)
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2181663945.00000000028CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/1
      Source: BCompare.exe, 00000006.00000002.2956427761.000002869F913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/2
      Source: BCompare.exe, 00000006.00000002.2964266512.00000286A2FA7000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2967105677.00000286A39B0000.00000004.00000020.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmp, checkupdates[1].htm.6.drString found in binary or memory: https://www.scootersoftware.com/BCompare-5.0.5.30614.exe
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.2191926141.000000000327C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/Y
      Source: BCompare.exe, 00000006.00000000.2141040356.00000000038D1000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/bugRepMailer.php
      Source: BCompare.exe, 00000006.00000002.2956427761.000002869F899000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/bugRepMailer.phpe
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/buybc5?bld=%d
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/buybc5?bld=%d8
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A13F9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/buybc5?bld=30614
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/buybc5?bld=3061446
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000002.2186041323.000000000039C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/buynow
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/checkupdates.php?product=bc5&minor=
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A13BC000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2956427761.000002869F913000.00000004.00000020.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2956427761.000002869F969000.00000004.00000020.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D4B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/checkupdates.php?product=bc5&minor=0&maint=5&auth=30.15&build=30614&
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/colors_win5
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/download.php
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/expiring?code=%s
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/formats_win5
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A145F000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A1429000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/forums
      Source: BCompare.exe, 00000006.00000002.2956427761.000002869F913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/j
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/support.php
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/support.php?keyword=%s&version=BC5&platform=Windows
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/upgrade
      Source: BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.scootersoftware.com/upgradeSH
      Source: BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A13CB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/videos_win5
      Source: BCompare.exe, 00000006.00000002.2958303068.00000286A145F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.scootersoftware.com/videos_win503H
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownHTTPS traffic detected: 72.32.90.250:443 -> 192.168.2.4:49740 version: TLS 1.2
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157F8F0: CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SetFileSecurityW,GetLastError,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,6_2_00007FFE1157F8F0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6643E6606_2_6643E660
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_664446706_2_66444670
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6637672C6_2_6637672C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663787146_2_66378714
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663B07486_2_663B0748
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6646A7306_2_6646A730
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663EA79C6_2_663EA79C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663684146_2_66368414
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6635244C6_2_6635244C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6637A5346_2_6637A534
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663725646_2_66372564
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663845A86_2_663845A8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663922346_2_66392234
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663D82786_2_663D8278
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663942746_2_66394274
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663E62F86_2_663E62F8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663602D86_2_663602D8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6638E2C06_2_6638E2C0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6639C36C6_2_6639C36C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6647A3306_2_6647A330
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663BC3986_2_663BC398
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_664783E06_2_664783E0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6636E38C6_2_6636E38C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663F03F06_2_663F03F0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6636C0FC6_2_6636C0FC
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663AA0E06_2_663AA0E0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6639C0D86_2_6639C0D8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_664581506_2_66458150
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663481686_2_66348168
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_664801306_2_66480130
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6647A1B06_2_6647A1B0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663D6E646_2_663D6E64
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663E2E446_2_663E2E44
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66476ED06_2_66476ED0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6635AE906_2_6635AE90
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66358C246_2_66358C24
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6639EC5C6_2_6639EC5C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6638ECD06_2_6638ECD0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663FCD1C6_2_663FCD1C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663C4D086_2_663C4D08
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663A8DB46_2_663A8DB4
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66388DE46_2_66388DE4
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663B6DC46_2_663B6DC4
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663AAA306_2_663AAA30
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663CCA006_2_663CCA00
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6646EA106_2_6646EA10
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66394A8C6_2_66394A8C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66476AF06_2_66476AF0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66370AE86_2_66370AE8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6643EAB06_2_6643EAB0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66480B506_2_66480B50
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66458B306_2_66458B30
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6636E8D46_2_6636E8D4
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_664689106_2_66468910
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6637E9686_2_6637E968
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663FA9486_2_663FA948
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663DE9B86_2_663DE9B8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663B89C06_2_663B89C0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663636246_2_66363624
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6635D6706_2_6635D670
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6637F6786_2_6637F678
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6639F6646_2_6639F664
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663976446_2_66397644
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6635169C6_2_6635169C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663676FC6_2_663676FC
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663417706_2_66341770
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663D57B06_2_663D57B0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663F77CC6_2_663F77CC
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6647F4706_2_6647F470
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6638B4006_2_6638B400
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6646D4306_2_6646D430
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663EF49C6_2_663EF49C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_664735406_2_66473540
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663C155C6_2_663C155C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663755F06_2_663755F0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663A92A86_2_663A92A8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663932806_2_66393280
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6636B3106_2_6636B310
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_664473D06_2_664473D0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_664773E06_2_664773E0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6637D3C46_2_6637D3C4
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6643F0306_2_6643F030
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6640103C6_2_6640103C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663B50BC6_2_663B50BC
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663A71246_2_663A7124
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6637B1606_2_6637B160
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663E51906_2_663E5190
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66403E886_2_66403E88
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6639BEC06_2_6639BEC0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66351F206_2_66351F20
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663ABF246_2_663ABF24
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66443F606_2_66443F60
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6646DFC06_2_6646DFC0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663C7FA86_2_663C7FA8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663FBC346_2_663FBC34
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663D3C146_2_663D3C14
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66355CB06_2_66355CB0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6639FCAC6_2_6639FCAC
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66453D506_2_66453D50
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663E7D0C6_2_663E7D0C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66397D946_2_66397D94
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66363DFC6_2_66363DFC
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66395DDC6_2_66395DDC
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6646FDA06_2_6646FDA0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663F1DC46_2_663F1DC4
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6635FA686_2_6635FA68
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663C1B146_2_663C1B14
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_66461B006_2_66461B00
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6646B8406_2_6646B840
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663578746_2_66357874
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663EF8746_2_663EF874
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663A785C6_2_663A785C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663F197C6_2_663F197C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6637D9806_2_6637D980
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663F39E46_2_663F39E4
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157B1A06_2_00007FFE1157B1A0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157C2306_2_00007FFE1157C230
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115842106_2_00007FFE11584210
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158E1F06_2_00007FFE1158E1F0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115860F06_2_00007FFE115860F0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157B3606_2_00007FFE1157B360
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115923D06_2_00007FFE115923D0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115A42A06_2_00007FFE115A42A0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1159027A6_2_00007FFE1159027A
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115B23286_2_00007FFE115B2328
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115723006_2_00007FFE11572300
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158D3006_2_00007FFE1158D300
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158B2F06_2_00007FFE1158B2F0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115892C06_2_00007FFE115892C0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1159C2C06_2_00007FFE1159C2C0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157E2D06_2_00007FFE1157E2D0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157C5706_2_00007FFE1157C570
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158B5406_2_00007FFE1158B540
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115A25F06_2_00007FFE115A25F0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115905C66_2_00007FFE115905C6
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1159C7506_2_00007FFE1159C750
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115946B06_2_00007FFE115946B0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115917306_2_00007FFE11591730
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158C6C06_2_00007FFE1158C6C0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157C9A06_2_00007FFE1157C9A0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157B9806_2_00007FFE1157B980
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1159A9706_2_00007FFE1159A970
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115909406_2_00007FFE11590940
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1159B9406_2_00007FFE1159B940
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115729E06_2_00007FFE115729E0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115999ED6_2_00007FFE115999ED
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157A9D06_2_00007FFE1157A9D0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115968606_2_00007FFE11596860
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115A49006_2_00007FFE115A4900
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157F8F06_2_00007FFE1157F8F0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11586B606_2_00007FFE11586B60
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1159CB406_2_00007FFE1159CB40
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1159BC006_2_00007FFE1159BC00
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157ABC06_2_00007FFE1157ABC0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11577AA06_2_00007FFE11577AA0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11591AE06_2_00007FFE11591AE0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1157BDB06_2_00007FFE1157BDB0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11591DE06_2_00007FFE11591DE0
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115710006_2_00007FFE11571000
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11595C906_2_00007FFE11595C90
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115A1D306_2_00007FFE115A1D30
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11575F906_2_00007FFE11575F90
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115ADE746_2_00007FFE115ADE74
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1159BE406_2_00007FFE1159BE40
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11598F206_2_00007FFE11598F20
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11577F306_2_00007FFE11577F30
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11599F106_2_00007FFE11599F10
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115ABED86_2_00007FFE115ABED8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: String function: 6634221C appears 46 times
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: String function: 663432D8 appears 65 times
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: String function: 663442CC appears 57 times
      Source: BCompare-5.0.5.30614.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: is-JQNIL.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: is-B8GAS.tmp.1.drStatic PE information: Resource name: RT_STRING type: PDP-11 demand-paged pure executable not stripped
      Source: is-B8GAS.tmp.1.drStatic PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
      Source: is-B8GAS.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
      Source: is-B8GAS.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
      Source: is-B8GAS.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form '\031TVfsArchivePasswordDialog\030VfsArchivePasswordDialog\007Caption\006\016Enter Password\014ClientHeight\003\224'
      Source: BCompare-5.0.5.30614.exeStatic PE information: Number of sections : 11 > 10
      Source: is-B8GAS.tmp.1.drStatic PE information: Number of sections : 11 > 10
      Source: BCompare-5.0.5.30614.tmp.0.drStatic PE information: Number of sections : 11 > 10
      Source: is-JQNIL.tmp.1.drStatic PE information: Number of sections : 11 > 10
      Source: is-B8GAS.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form '\024TPixFullScreenDialog\023PixFullScreenDialog\013BorderStyle\007\006bsNone\014ClientHeight\003\300\001\013ClientWidth\003\300\001\005Color\004..#'
      Source: is-K6QSQ.tmp.1.drStatic PE information: No import functions for PE file found
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs BCompare-5.0.5.30614.exe
      Source: BCompare-5.0.5.30614.exe, 00000000.00000000.1689594927.000000000053D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs BCompare-5.0.5.30614.exe
      Source: BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs BCompare-5.0.5.30614.exe
      Source: BCompare-5.0.5.30614.exeBinary or memory string: OriginalFileName vs BCompare-5.0.5.30614.exe
      Source: BCompare-5.0.5.30614.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: is-K6QSQ.tmp.1.drStatic PE information: Section .rsrc
      Source: BCompare.exe, 00000006.00000002.2964266512.00000286A2FF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: (*.bas;*.cls;*.ctl;*.frm;*.vb;*.vbp;*.vbs
      Source: BCompare.exe, 00000006.00000000.2141040356.0000000002908000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: <Mask Value="*.bas;*.cls;*.ctl;*.frm;*.vb;*.vbp;*.vbs"/>
      Source: classification engineClassification label: clean15.evad.winEXE@5/48@1/1
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11582760 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,6_2_00007FFE11582760
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158B990 CoCreateInstance,SysAllocString,SysFreeString,CoSetProxyBlanket,SysFreeString,SysFreeString,VariantClear,6_2_00007FFE1158B990
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Users\Public\Desktop\Beyond Compare 5.lnkJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1c84
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeMutant created: NULL
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$1c84
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeMutant created: \Sessions\1\BaseNamedObjects\Global\BeyondCompare5
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeMutant created: \Sessions\1\BaseNamedObjects\Beyond Compare: BE887BC7-16B2-48B5-B618-B3A52A26EC10
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeMutant created: \Sessions\1\BaseNamedObjects\BeyondCompare5
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeFile created: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmpJump to behavior
      Source: Yara matchFile source: C:\Program Files\Beyond Compare 5\is-0TV5D.tmp, type: DROPPED
      Source: Yara matchFile source: C:\Program Files\Beyond Compare 5\is-B0TDO.tmp, type: DROPPED
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile read: C:\Program Files\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
      Source: BCompare-5.0.5.30614.exeString found in binary or memory: /LOADINF="filename"
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeFile read: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\BCompare-5.0.5.30614.exe "C:\Users\user\Desktop\BCompare-5.0.5.30614.exe"
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp "C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp" /SL5="$20486,27293175,1148416,C:\Users\user\Desktop\BCompare-5.0.5.30614.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess created: C:\Program Files\Beyond Compare 5\BCompare.exe "C:\Program Files\Beyond Compare 5\BCompare.exe"
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp "C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp" /SL5="$20486,27293175,1148416,C:\Users\user\Desktop\BCompare-5.0.5.30614.exe" Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess created: C:\Program Files\Beyond Compare 5\BCompare.exe "C:\Program Files\Beyond Compare 5\BCompare.exe"Jump to behavior
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: winsta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: duser.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: xmllite.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: atlthunk.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: msftedit.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: windows.globalization.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: globinputhost.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: windows.ui.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: inputhost.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: explorerframe.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: sfc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: sfc_os.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: linkinfo.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: ntshrui.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: cscapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: version.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: faultrep.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: dbgcore.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: bcunrar.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: security.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: 7z.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: explorerframe.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeSection loaded: wininetlui.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
      Source: Beyond Compare 5.lnk.1.drLNK file: ..\..\..\..\..\Program Files\Beyond Compare 5\BCompare.exe
      Source: Beyond Compare 5.lnk0.1.drLNK file: ..\..\..\Program Files\Beyond Compare 5\BCompare.exe
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpWindow found: window name: TMainFormJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: I accept the agreement
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: Next
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: I accept the agreement
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: Next
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: I accept the agreement
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: Next
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: I accept the agreement
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: Install
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpAutomated click: I accept the agreement
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.LICENSE AGREEMENTYour use of Beyond Compare is governed by the following Terms and Conditions:Acceptance of License AgreementYou ("Customer") should carefully read the following terms and conditions before using Beyond Compare 5 (the "Software"). Unless you have a different license agreement signed by Scooter Software your use of this software indicates your agreement to these terms and conditions. If you do not accept all of these terms and conditions you must cease using the Software immediately.CopyrightCustomer acknowledges that the Software License Key and accompanying user documentation ("Documentation") are copyrighted works owned by Scooter Software and that Customer has no rights in the foregoing except as expressly granted herein.Free 30-Day TrialThis is not free software. Scooter Software hereby grants you a non-exclusive non-transferable limited license to use the Software free of charge for a period of thirty (30) days. Use of the Software beyond the thirty-day (30-day) trial period requires the purchase of a License Key as described below. Use of the Software beyond the thirty-day (30-day) trial period without purchase of a License Key is a violation of U.S. and international copyright laws.License KeyA unique key that will allow you to use the Software beyond the thirty-day (30-day) free trial period ("License Key") may be purchased from the Scooter Software website which is currently https://www.scootersoftware.com. A License Key may be purchased for single or multiple users all users at a named site or an entire enterprise. A License Key is further categorized by feature set (Standard Edition or Pro Edition). A price list on the Scooter Software website details fees for all license options. Upon purchase of a License Key Scooter Software hereby grants you a non-exclusive license to use the Software with the applicable feature set as follows: Per-User License Key: A Per-User License Key may be purchased for a specific quantity of users. Each user of the total quantity may be either (a) a person who has access to the Software on any number of computers or (b) a computer on which the Software will be installed for use by any number of persons one at a time while physically present at the computer. Each person so licensed must be the Customer an employee of the Customer an employee of a Customer's subsidiary company or a third party consultant retained by the Customer to perform information technology functions (each a "Third Party") to use the Software solely for Customer's internal business operations and benefit and for no other purpose whatsoever. Customer shall ensure that such Third Party complies with the terms of this License Agreement and will be responsible for any breach by such Third Party. Site
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.LICENSE AGREEMENTYour use of Beyond Compare is governed by the following Terms and Conditions:Acceptance of License AgreementYou ("Customer") should carefully read the following terms and conditions before using Beyond Compare 5 (the "Software"). Unless you have a different license agreement signed by Scooter Software your use of this software indicates your agreement to these terms and conditions. If you do not accept all of these terms and conditions you must cease using the Software immediately.CopyrightCustomer acknowledges that the Software License Key and accompanying user documentation ("Documentation") are copyrighted works owned by Scooter Software and that Customer has no rights in the foregoing except as expressly granted herein.Free 30-Day TrialThis is not free software. Scooter Software hereby grants you a non-exclusive non-transferable limited license to use the Software free of charge for a period of thirty (30) days. Use of the Software beyond the thirty-day (30-day) trial period requires the purchase of a License Key as described below. Use of the Software beyond the thirty-day (30-day) trial period without purchase of a License Key is a violation of U.S. and international copyright laws.License KeyA unique key that will allow you to use the Software beyond the thirty-day (30-day) free trial period ("License Key") may be purchased from the Scooter Software website which is currently https://www.scootersoftware.com. A License Key may be purchased for single or multiple users all users at a named site or an entire enterprise. A License Key is further categorized by feature set (Standard Edition or Pro Edition). A price list on the Scooter Software website details fees for all license options. Upon purchase of a License Key Scooter Software hereby grants you a non-exclusive license to use the Software with the applicable feature set as follows: Per-User License Key: A Per-User License Key may be purchased for a specific quantity of users. Each user of the total quantity may be either (a) a person who has access to the Software on any number of computers or (b) a computer on which the Software will be installed for use by any number of persons one at a time while physically present at the computer. Each person so licensed must be the Customer an employee of the Customer an employee of a Customer's subsidiary company or a third party consultant retained by the Customer to perform information technology functions (each a "Third Party") to use the Software solely for Customer's internal business operations and benefit and for no other purpose whatsoever. Customer shall ensure that such Third Party complies with the terms of this License Agreement and will be responsible for any breach by such Third Party. Site
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\PackersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\unins000.datJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-JQNIL.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-4MHOG.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-B8GAS.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-C1RH0.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-GGN2U.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-K6QSQ.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-7ONVI.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-EC3JI.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-BS8MP.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-C1132.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-B0TDO.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-0TV5D.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-FDK6U.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-8736U.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-NUJ04.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-RE1S8.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-N3K06.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\is-7NT86.tmpJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDirectory created: C:\Program Files\Beyond Compare 5\unins000.msgJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeyondCompare5_is1Jump to behavior
      Source: BCompare-5.0.5.30614.exeStatic PE information: certificate valid
      Source: BCompare-5.0.5.30614.exeStatic file information: File size 28399696 > 1048576
      Source: BCompare-5.0.5.30614.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Projects\WinRAR\rar\build\unrardll64\Release\UnRAR64.pdb source: BCompare.exe, 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmp, is-EC3JI.tmp.1.dr
      Source: BCompare-5.0.5.30614.exeStatic PE information: section name: .didata
      Source: BCompare-5.0.5.30614.tmp.0.drStatic PE information: section name: .didata
      Source: BCShellEx.dll.1.drStatic PE information: section name: .didata
      Source: is-8736U.tmp.1.drStatic PE information: section name: .didata
      Source: is-JQNIL.tmp.1.drStatic PE information: section name: .didata
      Source: is-B8GAS.tmp.1.drStatic PE information: section name: .didata
      Source: is-GGN2U.tmp.1.drStatic PE information: section name: .didata
      Source: is-EC3JI.tmp.1.drStatic PE information: section name: _RDATA
      Source: is-BS8MP.tmp.1.drStatic PE information: section name: .didata
      Source: is-B0TDO.tmp.1.drStatic PE information: section name: .didata
      Source: is-0TV5D.tmp.1.drStatic PE information: section name: .didata
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11574151 push rbp; iretd 6_2_00007FFE11574152
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115741FB push rcx; retf 0001h6_2_00007FFE115741FC
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11574124 push rbp; iretd 6_2_00007FFE11574125
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115743AC push rbp; iretd 6_2_00007FFE115743AD
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11574348 push rsp; retf 0001h6_2_00007FFE11574349
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115742A9 push rbp; iretd 6_2_00007FFE115742AA
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11574249 push rbx; retf 6_2_00007FFE1157424A
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11574899 push rbp; iretd 6_2_00007FFE1157489A
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-JQNIL.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-BS8MP.tmpJump to dropped file
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeFile created: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\BCUnRAR.dll (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\BComp.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\7z.dll (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\BCShellEx.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-7ONVI.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\PdfToText.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-0TV5D.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\BCShellEx64.dll (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-EC3JI.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\Is64Bit.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-GGN2U.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-N3K06.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\mscoree.dll (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\BComp.com (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\BCClipboard.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-4MHOG.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\BCShellEx.dll (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\Patch.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\BCompare.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-K6QSQ.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-B8GAS.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\unins000.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-B0TDO.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\Program Files\Beyond Compare 5\is-8736U.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\Beyond Compare 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Beyond Compare 5.lnkJump to behavior
      Source: C:\Users\user\Desktop\BCompare-5.0.5.30614.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-GGN2U.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-BS8MP.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-N3K06.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\BComp.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\mscoree.dll (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\BComp.com (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\BCClipboard.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\BCShellEx.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\BCShellEx.dll (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-4MHOG.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\Patch.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\PdfToText.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-7ONVI.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-0TV5D.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\BCShellEx64.dll (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-K6QSQ.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-EC3JI.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-B0TDO.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\Is64Bit.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpDropped PE file which has not been started: C:\Program Files\Beyond Compare 5\is-8736U.tmpJump to dropped file
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeAPI coverage: 0.2 %
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_6634614C FindFirstFileW,FindFirstFileW,free,6_2_6634614C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158A190 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,6_2_00007FFE1158A190
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115AE080 FindFirstFileExA,6_2_00007FFE115AE080
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_663489E0 GetSystemInfo,6_2_663489E0
      Source: BCompare.exe, 00000006.00000000.2141040356.0000000002908000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: QEMU Copy On Write archive
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2184396439.0000000000DA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\,
      Source: BCompare.exe, 00000006.00000002.2956427761.000002869F899000.00000004.00000020.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2967105677.00000286A39B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: is-FDK6U.tmp.1.drBinary or memory string: vmcIPK
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115A68B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFE115A68B8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115AF100 GetProcessHeap,6_2_00007FFE115AF100
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115A68B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFE115A68B8
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115A5A4C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FFE115A5A4C
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115AAC68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFE115AAC68
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeNtQuerySystemInformation: Indirect: 0xB701F5Jump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeNtQuerySystemInformation: Indirect: 0xB7012BJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE11595390 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_00007FFE11595390
      Source: BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, BCShellEx.dll.1.drBinary or memory string: Progman
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115B2110 cpuid 6_2_00007FFE115B2110
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmpQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE115A6A04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00007FFE115A6A04
      Source: C:\Program Files\Beyond Compare 5\BCompare.exeCode function: 6_2_00007FFE1158B8D0 GetVersionExW,6_2_00007FFE1158B8D0

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Command and Scripting Interpreter      		11
      Windows Service      		1
      Access Token Manipulation      		3
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		11
      Windows Service      		1
      Disable or Modify Tools      		LSASS Memory21
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		2
      Process Injection      		1
      Access Token Manipulation      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      Abuse Elevation Control Mechanism      		2
      Process Injection      		NTDS2
      System Owner/User Discovery      		Distributed Component Object ModelInput Capture3
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
      Registry Run Keys / Startup Folder      		1
      Deobfuscate/Decode Files or Information      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
      DLL Side-Loading      		1
      Abuse Elevation Control Mechanism      		Cached Domain Credentials24
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
      Obfuscated Files or Information      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      BCompare-5.0.5.30614.exe0%VirustotalBrowse
      BCompare-5.0.5.30614.exe0%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files\Beyond Compare 5\7z.dll (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\BCClipboard.exe (copy)3%ReversingLabs
      C:\Program Files\Beyond Compare 5\BCShellEx.dll (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\BCShellEx64.dll (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\BCUnRAR.dll (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\BComp.com (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\BComp.exe (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\BCompare.exe (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\Patch.exe (copy)3%ReversingLabs
      C:\Program Files\Beyond Compare 5\PdfToText.exe (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-0TV5D.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-4MHOG.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-7ONVI.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-8736U.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-B0TDO.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-B8GAS.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-BS8MP.tmp3%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-EC3JI.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-GGN2U.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-JQNIL.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-K6QSQ.tmp0%ReversingLabs
      C:\Program Files\Beyond Compare 5\is-N3K06.tmp3%ReversingLabs
      C:\Program Files\Beyond Compare 5\mscoree.dll (copy)0%ReversingLabs
      C:\Program Files\Beyond Compare 5\unins000.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\BCShellEx.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\Is64Bit.dll10%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\_isetup\_setup64.tmp0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://uri.etsi.org/02231/v2#0%Avira URL Cloudsafe
      http://www.ebics.org/H0030%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST0%Avira URL Cloudsafe
      http://www.totalcmd.net/directory/packer.html0%Avira URL Cloudsafe
      http://uri.etsi.org/01903/v1.2.2#0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/extendedProperties0%Avira URL Cloudsafe
      http://www.ghisler.com/plugins.htm0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/KEscrow0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/Archiv0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/externalLink0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/Certstatus/CRL/QC0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/customXml0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevelUH0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/customXmlDataProps0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/PPwd/nothavingPKIid0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/IdV/nothavingPKIid0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/customXmlProps0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/drawingml/0%Avira URL Cloudsafe
      http://uri.etsi.org/19612/TSLTag0%Avira URL Cloudsafe
      http://uri.etsi.org/01903/v1.2.2#BER0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/TLIssuer0%Avira URL Cloudsafe
      http://gnuwin32.sourceforge.net0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheDefinition0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/image0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/spreadsheetml/0%Avira URL Cloudsafe
      http://uri.etsi.org/02231/v2/additionaltypes#0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/EDS/REM/Q0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStrings0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocument0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/TrustedList/TSLType/EUgeneric0%Avira URL Cloudsafe
      http://ocsp.sectigo.com0&0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/AdESValidation0%Avira URL Cloudsafe
      http://uri.etsi.org/02231/v1.1.1#0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/NationalRootCA-QC0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/customProperties0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/dialogsheet0%Avira URL Cloudsafe
      http://uri.etsi.org/01903/v1.2.2#SignedProperties0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/CA/PKC0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/QESValidation/Q0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/CA/QC0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/drawingml/chartDrawing0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/tableSingleCells0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/EDS/REM0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/SignaturePolicyAuthority0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/extendedProperties0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/oleObject0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC0%Avira URL Cloudsafe
      https://www.scootersoftware.com.0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/hyperlink0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/AdESGeneration0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/IdV0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QC0%Avira URL Cloudsafe
      http://uri.etsi.org/02231/v2#SH0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/customProperties0%Avira URL Cloudsafe
      http://uri.etsi.org/01903/v1.1.1#0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/xmlMaps0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevel0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/drawingml/main03H0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/EDS/Q0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/chart0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/comments0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/chartsheet0%Avira URL Cloudsafe
      http://uri.etsi.org/TrstSvc/Svctype/Archiv/nothavingPKIid0%Avira URL Cloudsafe
      http://purl.oclc.org/ooxml/officeDocument/relationships/table0%Avira URL Cloudsafe
      http://uri.etsi.org/01903/v1.2.2#XER0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      scootersoftware.com
      		72.32.90.250
      		truefalse
        		high
        www.scootersoftware.com
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://www.scootersoftware.com/checkupdates.php?product=bc5&minor=0&maint=5&auth=30.15&build=30614&edition=prodebug&cpuarch=x86_64&platform=win32&lang=silentfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.ghisler.com/plugins.htmBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drfalse
              		high
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drfalse
                		high
                http://www.ebics.org/H003BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://purl.oclc.org/ooxml/officeDocument/relationships/extendedPropertiesBCompare.exe, 00000006.00000002.2958303068.00000286A13B5000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://uri.etsi.org/02231/v2#BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://uri.etsi.org/01903/v1.2.2#BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.totalcmd.net/directory/packer.htmlBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.scootersoftware.com/buybc5?bld=3061446BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://uri.etsi.org/TrstSvc/Svctype/TSA/QTSTBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://uri.etsi.org/TrstSvc/Svctype/KEscrowBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://purl.oclc.org/ooxml/officeDocument/relationships/externalLinkBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.scootersoftware.com/checkupdates.php?product=bc5&minor=BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                    		high
                    http://uri.etsi.org/TrstSvc/Svctype/ArchivBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.scootersoftware.com/jBCompare.exe, 00000006.00000002.2956427761.000002869F913000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.scootersoftware.com/colors_win5BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                        		high
                        https://www.remobjects.com/psBCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007F87B000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003720000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000000.1693345022.00000000005D1000.00000020.00000001.01000000.00000004.sdmp, BCompare-5.0.5.30614.tmp.0.drfalse
                          		high
                          http://uri.etsi.org/TrstSvc/Svctype/Certstatus/CRL/QCBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://purl.oclc.org/ooxml/officeDocument/customXmlBCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://uri.etsi.org/TrstSvc/Svctype/PPwd/nothavingPKIidBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.innosetup.com/BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007F87B000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003720000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000000.1693345022.00000000005D1000.00000020.00000001.01000000.00000004.sdmp, BCompare-5.0.5.30614.tmp.0.drfalse
                            		high
                            http://purl.oclc.org/ooxml/officeDocument/relationships/customXmlPropsBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://uri.etsi.org/TrstSvc/Svctype/IdV/nothavingPKIidBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevelUHBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.scootersoftware.com/forumsBCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A145F000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A1429000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://www.scootersoftware.com/buybc5?bld=30614BCompare.exe, 00000006.00000002.2958303068.00000286A13F9000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://purl.oclc.org/ooxml/drawingml/BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQESBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.scootersoftware.com/support.php?keyword=%s&version=BC5&platform=WindowsBCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                  		high
                                  http://uri.etsi.org/19612/TSLTagBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://purl.oclc.org/ooxml/officeDocument/customXmlDataPropsBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://uri.etsi.org/01903/v1.2.2#BERBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drfalse
                                    		high
                                    http://uri.etsi.org/TrstSvc/Svctype/TLIssuerBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.dropboxapi.com/2/BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                      		high
                                      http://purl.oclc.org/ooxml/officeDocument/relationships/imageBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://gnuwin32.sourceforge.netBCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000002.2186041323.000000000039C000.00000004.00000010.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://purl.oclc.org/ooxml/officeDocument/relationships/pivotCacheDefinitionBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://purl.oclc.org/ooxml/spreadsheetml/BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://uri.etsi.org/TrstSvc/Svctype/EDS/REM/QBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                        		high
                                        http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStringsBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://uri.etsi.org/02231/v2/additionaltypes#BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://uri.etsi.org/TrstSvc/TrustedList/TSLType/EUgenericBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocumentBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://uri.etsi.org/TrstSvc/Svctype/AdESValidationBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ocsp.sectigo.com0&BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://uri.etsi.org/02231/v1.1.1#BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.scootersoftware.com/upgradeSHBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                          		high
                                          http://purl.oclc.org/ooxml/officeDocument/relationships/customPropertiesBCompare.exe, 00000006.00000002.2958303068.00000286A13B5000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://uri.etsi.org/TrstSvc/Svctype/NationalRootCA-QCBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://purl.oclc.org/ooxml/officeDocument/relationships/dialogsheetBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://content.dropboxapi.com/2/files/BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                            		high
                                            http://uri.etsi.org/01903/v1.2.2#SignedPropertiesBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.scootersoftware.com/videos_win5BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmp, BCompare.exe, 00000006.00000002.2958303068.00000286A13CB000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              http://uri.etsi.org/TrstSvc/Svctype/QESValidation/QBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://uri.etsi.org/TrstSvc/Svctype/CA/PKCBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/grantedBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zBCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drfalse
                                                		high
                                                http://purl.oclc.org/ooxml/officeDocument/BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://uri.etsi.org/TrstSvc/Svctype/CA/QCBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://purl.oclc.org/ooxml/drawingml/chartDrawingBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://uri.etsi.org/TrstSvc/Svctype/SignaturePolicyAuthorityBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://purl.oclc.org/ooxml/officeDocument/relationships/tableSingleCellsBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://uri.etsi.org/TrstSvc/Svctype/EDS/REMBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QCBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.scootersoftware.com/BCompare-5.0.5.30614.tmp, 00000001.00000003.1821334331.0000000003660000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2181663945.00000000028CC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000002.2186041323.000000000039C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://purl.oclc.org/ooxml/officeDocument/extendedPropertiesBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://purl.oclc.org/ooxml/officeDocument/relationships/oleObjectBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.scootersoftware.com.BCompare-5.0.5.30614.tmp, 00000001.00000002.2187193317.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.1825550777.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2184346123.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2184396439.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2184396439.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2180501409.00000000038D2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://ocsp.sectigo.com0BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drfalse
                                                    		high
                                                    http://uri.etsi.org/02231/v2#SHBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.scootersoftware.com/buynowBCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000002.2186041323.000000000039C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://uri.etsi.org/TrstSvc/Svctype/AdESGenerationBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://purl.oclc.org/ooxml/officeDocument/relationships/hyperlinkBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://uri.etsi.org/TrstSvc/Svctype/IdVBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://login.microsoftonline.com/common/oauth2/v2.0/authorizeBCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/soap/envelope/BCompare.exe, 00000006.00000000.2114018440.00000000009C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                          		high
                                                          http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QCBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.scootersoftware.com/checkupdates.php?product=bc5&minor=0&maint=5&auth=30.15&build=30614&BCompare.exe, 00000006.00000002.2958303068.00000286A13BC000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2956427761.000002869F913000.00000004.00000020.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2956427761.000002869F969000.00000004.00000020.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D4B000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.scootersoftware.com/upgradeBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                              		high
                                                              http://purl.oclc.org/ooxml/officeDocument/relationships/xmlMapsBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drfalse
                                                                		high
                                                                http://purl.oclc.org/ooxml/officeDocument/customPropertiesBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.scootersoftware.com/)BCompare-5.0.5.30614.exe, 00000000.00000003.2191926141.000000000327C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://uri.etsi.org/01903/v1.1.1#BCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://purl.oclc.org/ooxml/officeDocument/relationships/chartBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/recognisedatnationallevelBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://purl.oclc.org/ooxml/drawingml/main03HBCompare.exe, 00000006.00000002.2958303068.00000286A145F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://api.dropboxapi.com/BCompare.exe, 00000006.00000000.2114018440.0000000001DC1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                                    		high
                                                                    https://www.scootersoftware.com/bugRepMailer.phpBCompare.exe, 00000006.00000000.2141040356.00000000038D1000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                      		high
                                                                      http://uri.etsi.org/TrstSvc/Svctype/EDS/QBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0BCompare-5.0.5.30614.exe, 00000000.00000003.1691899255.000000007FBCC000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.exe, 00000000.00000003.1691467612.0000000003890000.00000004.00001000.00020000.00000000.sdmp, BCompare-5.0.5.30614.tmp, 00000001.00000003.2170041651.00000000065B0000.00000004.00001000.00020000.00000000.sdmp, BCompare.exe, 00000006.00000002.2960128800.00000286A2D52000.00000004.00001000.00020000.00000000.sdmp, is-8736U.tmp.1.dr, is-7ONVI.tmp.1.dr, is-4MHOG.tmp.1.dr, BCompare-5.0.5.30614.tmp.0.dr, is-BS8MP.tmp.1.dr, BCShellEx.dll.1.drfalse
                                                                        		high
                                                                        http://purl.oclc.org/ooxml/officeDocument/relationships/commentsBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://purl.oclc.org/ooxml/officeDocument/relationships/chartsheetBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://uri.etsi.org/01903/v1.2.2#XERBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://uri.etsi.org/TrstSvc/Svctype/Archiv/nothavingPKIidBCompare.exe, 00000006.00000000.2114018440.00000000013C1000.00000020.00000001.01000000.0000000A.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://scootersoftware.com/kb/netsetupSetupUBCompare-5.0.5.30614.exefalse
                                                                          		high
                                                                          http://purl.oclc.org/ooxml/officeDocument/relationships/tableBCompare.exe, 00000006.00000002.2958303068.00000286A1381000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          72.32.90.250
                                                                          		scootersoftware.comUnited States
                                                                          		33070RMH-14USfalse

                                                                          General Information

                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                          Analysis ID:1592373
                                                                          Start date and time:2025-01-16 01:55:12 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 7m 50s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:8
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:BCompare-5.0.5.30614.exe
                                                                          Detection:CLEAN
                                                                          Classification:clean15.evad.winEXE@5/48@1/1
                                                                          EGA Information:
                                                                          • Successful, ratio: 100%
                                                                          HCA Information:Failed
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          19:57:01API Interceptor31x Sleep call for process: BCompare.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          No context

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          RMH-14UShttps://www.databreachtoday.com/showOnDemand.php?webinarID=6054&rf=OD_REQUEST;Get hashmaliciousUnknownBrowse
                                                                          • 104.130.251.6
                                                                          Fantazy.arm4.elfGet hashmaliciousUnknownBrowse
                                                                          • 67.23.143.42
                                                                          meth2.elfGet hashmaliciousMiraiBrowse
                                                                          • 72.41.62.234
                                                                          miori.arm.elfGet hashmaliciousUnknownBrowse
                                                                          • 166.78.21.65
                                                                          loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                          • 162.209.78.18
                                                                          nklppc.elfGet hashmaliciousUnknownBrowse
                                                                          • 72.233.71.43
                                                                          sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 72.233.10.88
                                                                          loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                          • 173.203.246.137
                                                                          loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                          • 72.41.205.250
                                                                          1.elfGet hashmaliciousUnknownBrowse
                                                                          • 174.143.133.81

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          37f463bf4616ecd445d4a1937da06e19download.bin.exeGet hashmaliciousNjrat, XRedBrowse
                                                                          • 72.32.90.250
                                                                          Handler.exeGet hashmaliciousDanaBot, PureLog Stealer, VidarBrowse
                                                                          • 72.32.90.250
                                                                          BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                                          • 72.32.90.250
                                                                          setup.msiGet hashmaliciousUnknownBrowse
                                                                          • 72.32.90.250
                                                                          00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                                                          • 72.32.90.250
                                                                          00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                                                          • 72.32.90.250
                                                                          Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                          • 72.32.90.250
                                                                          138745635-72645747.116.exeGet hashmaliciousUnknownBrowse
                                                                          • 72.32.90.250
                                                                          2834573-3676874985.02.exeGet hashmaliciousUnknownBrowse
                                                                          • 72.32.90.250

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Program Files\Beyond Compare 5\7z.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1930840
                                                                          Entropy (8bit):6.33237636358266
                                                                          Encrypted:false
                                                                          SSDEEP:24576:aL9NgP+4hcdTDeM1EF7Jx2meoI4Tzp7iyeNgzd6Nv7XRiTo7l:Y9NgPjM1E7JPx+ye5j
                                                                          MD5:09DEBB1FCDFA60A9292B3ED9101E1070
                                                                          SHA1:0E43EAABCCED3BBEF5499E7AA8B7DEF490001695
                                                                          SHA-256:65B3E54E908AB565F01951C6FDA4BAC4A7DC9DF714787865DC8627C28EDF075E
                                                                          SHA-512:0B7037D664A10D91DC2027CF611201F8BEF96593E63EADAB697CD899D6F6948DC8F7BDC21AB8FEEE2673C59F4EB4528EC552E71E769997CEBBD33F5FD4272B00
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Reputation:low
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:=..Tn..Tn..Tn.J)n..Tn.J/n..Tn..Un..Tn.J:n0.Tn.J9n..TnYQPo..TnB.Wo..Tn.J.n..Tn.J(n..Tn.J,n..TnRich..Tn........................PE..d... .Jg.........." .....d................................................... ............`.....................................................x....@..p.......P?......XZ.......#...................................................................................text....c.......d.................. ..`.rdata..a............h..............@..@.data........ ......................@....pdata..P?.......@..................@..@.rsrc...p....@.......J..............@..@.reloc...6.......8..................@..B................................................................................................................................................................................................................................................

                                                                          C:\Program Files\Beyond Compare 5\BCClipboard.exe (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1366168
                                                                          Entropy (8bit):6.415840843991004
                                                                          Encrypted:false
                                                                          SSDEEP:24576:4xsUzfNDznSjBSNiwHkWHvQYmBnSkFWBwCPnqkUPRF1QI51kyZnjLRiFj7s:yRcZSfnqkARr5/kyJp
                                                                          MD5:CAD58CCC9D60022AF4585A9637FC7CDC
                                                                          SHA1:A32160A26818F54F7F3F3C821E7CED9574E56EE2
                                                                          SHA-256:B9AFA25753471020288F1503D78A475C4686C0B17B82AFBD7D15A8BCD37A602C
                                                                          SHA-512:2ABC06821FD0249888210E96E2632B32567114B7404DC146A510397F928EC3C9155DCB0B3F54D8A92CD8169E4B606754D6CD829596073FA75F6A6FC19C19F637
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                          Reputation:low
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....h.g..........................................@..........................@.......u....@......@...............................4...0...............~...Z.......6...................................................................................text...4........................... ..`.itext.............................. ..`.data...,'.......(..................@....bss.... S... ...........................idata...4.......4..................@....didata..............2..............@....tls....<............6...................rdata...............6..............@..@.reloc...6.......8...8..............@..B.rsrc........0.......p..............@..@.............@.......~..............@..@........................................................

                                                                          C:\Program Files\Beyond Compare 5\BCDarkTheme.vsf (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):117919
                                                                          Entropy (8bit):7.9325422846055975
                                                                          Encrypted:false
                                                                          SSDEEP:3072:GrD+cDwi1NgdocNRKwzGJDY33k24cZVQIglJ:EHNgicmI3k5MVQI6
                                                                          MD5:D0E6160F95DEC7D8144FBDFFEC363A70
                                                                          SHA1:4296E529D38E58FF061224D16D9C40FEB383518F
                                                                          SHA-256:4451C04DBA74A54CBEE5DF7EB7431E9A3EE6E18F7126FFAE0C06EF3CB1EE4F74
                                                                          SHA-512:1AE2BF4E11D2D8C201773C0B71173D2751E40B03D1D49A8ADBB3CA75A3DB2E1A03CCE481B95D85C5AEC239B5BEC0D4E35179D3526D41D63CE20DF9443FBAEA12
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:VCL_STYLE 2.0x....-E}..?.0y pd...D.4 (....8a..............u..A x..&.8].z..b$.k.....W.5...|.E}.,s1.......jW.......w........tUu..+++..\.r..W._y..+G......\.r...+...\....{...l...+.i..-..wn..]n.:..u...2..R..X.....<.^.../v.x.....M%..i..ie3....).]y..+....n.....,.\.j.j..F{..l#/Y.v....W..............................................................................................................................................................................R#....c.W9.....F..zm4..M...k.x.............a{.c..<.".'.h.......r...{.z....v.K..].....ZP?u.y.q...1.,.7..uB.;..v2.o..W..).^.....v......=.8.P..2.4.nt.GmL....\.6.1....yp9Elc<.x.q....)k.n.[.!n.r.l........?..v.+...^.3.`...0N4^g.....C..>u.k.e.....eQ..]..._l.]KV...8.........h]..`..m......z.....k.=..2.Q....m......m\d........A..bh..w4..............\`.3B..^..>..^.n..~....FW.....!..|..}R[DW=...\..?....3...r.......tM~.1.^m....w|}....Zo7.m.........i.1.............0.7.k4.c....M..i7.....b......W...O.m.....

                                                                          C:\Program Files\Beyond Compare 5\BCShellEx.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1262808
                                                                          Entropy (8bit):6.632499883121238
                                                                          Encrypted:false
                                                                          SSDEEP:24576:sN5UJV9oW9ZA1mYB8IVt2cRsZWteJRinG7Q:01VtvsZhY
                                                                          MD5:13681B409B6DF2DED5571078B2D57D83
                                                                          SHA1:DD428A73A748D83482C4D2426FE95D6BD7920DDA
                                                                          SHA-256:85B973702360FF9C1B13EE84F1E4986CC7BA2B11573B7E9662F4F9A3157F54B2
                                                                          SHA-512:86792D3188B2394A714435C210644EBAFD728344A8B0B25B80141CCDDBB4DCF7ABF643D1D7F84ED53704F1F7621C7A403CA8FCFBAAA9398074EC47F697B36AFB
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Reputation:low
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....Xg...........!.........&....................@.................................mp....@.............................3.......l........................Z... ..@p...................................................................................text............................... ..`.itext..(........................... ..`.data...p...........................@....bss.....k...`...........................idata..l............R..............@....didata..............f..............@....edata..3............n..............@..@.rdata..E............p..............@..@.reloc..@p... ...r...r..............@..B.rsrc...............................@..@....................................@..@........................................................

                                                                          C:\Program Files\Beyond Compare 5\BCShellEx.msix (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:Zip archive data, at least v4.5 to extract, compression method=store
                                                                          Category:dropped
                                                                          Size (bytes):715123
                                                                          Entropy (8bit):7.9928260409748075
                                                                          Encrypted:true
                                                                          SSDEEP:12288:OU4TwJo1F8i3GRknwVwYdv7ZDJk4eeWZnDW0Fo+OTVt40QgXNo22MOSNrX6hOZ:OXTwJIP3WTTvneeWZW0Foj2gXN+TSp6c
                                                                          MD5:724D51EE993917769408C4E95FBBA467
                                                                          SHA1:97831B365920005EFE9E6DEF3E42EFD80171F5AE
                                                                          SHA-256:8CD9DD80BF4EF277EB98C60E62A60FEA549D831B19E16B386378B5B4DEADA3D2
                                                                          SHA-512:5DC0E55CFE9A363A7ACFD04485AC52A0E69939E52477B339D1BDEE4D590FA5055D1C849824A90C53895F65DA6C9F925BBC62FC3C4E7816BE8CBC66070B98D315
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:PK..-.....Ru.Y................Assets/Logo_44x44.png.PNG........IHDR...,...,.......Z.....sRGB.........gAMA......a.....pHYs...........k.....IDATXG.Xkp\.y~....Z..eY..c.l......$........M.t..G...v.!..N.L...h...[2.mH.pKc.....dK.l.eI.+...<.RS..~.W..|....^.c.}.H$j..V..?...z..k]....jMTZ..Z..*.)...u..+UX.........{...r.3.....p,na-...q....{....A...uQ.V....i4!....B....).\.{<......D.%....3..2..=....7..P p...y..qo......h.A.%....{kM C.....t...f.a...F......S.o.".?..c.Mu....=..+..P,..b....qYh...h.G...(R....-.Y.N.:K...l..u4.<58H.B...H.5:....{..r....p}.i.w....'...N..>9.....x.!Pw...Z..`].."0#|......"}.....E.l.oLM....x.w...S..{..z....>..o.7.~.sv..'@bWo.o........&...0^.Z.e....:.W.U(eJ...<J.|.g.J.M.-*.r..x....,...im...,.J?.e..3g..X......ur..>Kkv..lr...7FG....|h..A.....F._..:.k._.......^.y.AP......9F.]...F.X...,.P$.h4.;r.....w......v...-=..p2...#..ox....#...oX.4P...R..e.I..."Z...$....C...R.m.,...-)l......S..S.P.:.x.S.......>....,m.:.z.../........{xb|...n...f...-...pUJ..y

                                                                          C:\Program Files\Beyond Compare 5\BCShellEx64.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1971416
                                                                          Entropy (8bit):5.992517161974482
                                                                          Encrypted:false
                                                                          SSDEEP:24576:QmMDEg4t6+FP71CaxX1xD/7hocCBH6N7OijrbiRim37E:uzW6+FhbocCBHkFd
                                                                          MD5:05EC4723A1800A7EC750EC6798211C64
                                                                          SHA1:865947AA01DC6EF456D9F0BA2BD2123D6AF30C22
                                                                          SHA-256:FBCF18C63386F2E1F65C7231055DB8BFFADFC8FA3B299617E0EA5AB203FE0AF7
                                                                          SHA-512:BA0BBF2752A80D0C8458E51E68BA940E3CE3CE25B91BE62743CDD153F337898E69CBA0AD073205FBD7BF5526C14B74B84B7A58246A485174B7567CEA3110A480
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Reputation:low
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....Xg.........." .....F...p................@.....................................W.....`.......................... ..................3....................`...i.......Z...0...,..................................................X................................text....D.......F.................. ..`.data...0....`.......J..............@....bss....,................................idata..............................@....didata.............................@....edata..3...........................@..@.rdata..E.... ......................@..@.reloc...,...0......................@..B.pdata...i...`...j...L..............@..@.rsrc...............................@..@....................................@..@........................................

                                                                          C:\Program Files\Beyond Compare 5\BCUnRAR.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):370328
                                                                          Entropy (8bit):6.426476554245018
                                                                          Encrypted:false
                                                                          SSDEEP:6144:AnQk0v5/LzRHfrZd1TpoJTUeseXYurugyh3K/46S37I0RIs5XqiBgl5:Q0v5/LNTZsTUesCYuru24vIx/V
                                                                          MD5:D4766BF4D268E29FCCD2F2259937704A
                                                                          SHA1:72EDA4FCB6B46D5BB278CE9B71A3E9590A19BC8E
                                                                          SHA-256:94DEAB13E51C952F027D394A3EA4405AC89C4E4B194F5BD71290234E805B2E26
                                                                          SHA-512:E68EDD8B1A6613FB06B3FA7BAC902D10C1AA79857CA12DD4605A57C2EAE1639EFD80418A3D127DF0782E369A5DD3CDB53360AC2F15D9103F70E68CF82EF2374D
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Reputation:low
                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......n.6.*.X.*.X.*.X...../.X.....T.X.....'.X...\.:.X...[. .X.#..+.X...]...X.#..%.X.*.Y...X...]...X...X.+.X...+.X.*..+.X...Z.+.X.Rich*.X.........................PE..d...u.@f.........." ...!.0...........f.......................................@....... ....`A.........................................%..t....&..x.... ...............~...(...0..........T.......................(.......@............@..P............................text...n/.......0.................. ..`.rdata.......@.......4..............@..@.data.......@.......*..............@....pdata...........0...>..............@..@_RDATA..\............n..............@..@.rsrc........ .......p..............@..@.reloc.......0.......v..............@..B........................................................................................................................................................................

                                                                          C:\Program Files\Beyond Compare 5\BComp.com (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):125592
                                                                          Entropy (8bit):6.634157139790098
                                                                          Encrypted:false
                                                                          SSDEEP:3072:Lc3qMW05nHiKF3p6pDrt4FqHDehyIHybuQ7RiWBG7k:Lc3bRndhqqtQ7RiWBG7k
                                                                          MD5:DAFC26D851AAF5DC61202241B4A8BB82
                                                                          SHA1:A6E84F72733951274496E775B36F357047EF6304
                                                                          SHA-256:D8D9D88A203FEB473761B54F0979520D405BAF198EA2EEE59833A8E1E0359CC9
                                                                          SHA-512:D488CBE586CA7E8E71D5EB24FC9F5071EDC2BD74E5B7489610D823698C14CF560FE81F9DEB87371B2231A4AC3DE8B5213F1DF56D4A770BF83A1D88A483767955
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.....................^.......A.......P....@..........................@............@......@..............................$.... ...................Z......d"...................................................................................text...,&.......(.................. ..`.itext.......@.......,.............. ..`.data... ....P.......2..............@....bss.....N...`.......B...................idata..$............B..............@....didata..............P..............@....tls.................R...................rdata...............R..............@..@.reloc..d".......$...T..............@..B.rsrc........ .......x..............@..@.............@......................@..@........................................................

                                                                          C:\Program Files\Beyond Compare 5\BComp.exe (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):119448
                                                                          Entropy (8bit):6.7323637929399744
                                                                          Encrypted:false
                                                                          SSDEEP:3072:osHaM/wHVH6aARD1yyCDMu37RixMBjI7yW:osHL/w1Yq37RixMBjI7yW
                                                                          MD5:7508AC91F32709AE8FB76DF339518D89
                                                                          SHA1:44A44903C5F2E0D9360F0A2107A8A392A9B75E8A
                                                                          SHA-256:3136CCCF101A7210E3D530B09B635EE70BD645127EB914941BDCC9B58ABC3CED
                                                                          SHA-512:BFFB4219AC8837BA8FDDD7B56D80DA57B546F2C08330228D731E697B11810919322B94205AFAD1A5E9331C07E22D1CC91019FE8A915ACC7C28AA5507E2F5379F
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.....................\.......1.......@....@..........................0......}.....@......@..............................N....................x...Z.......!..................................................................................text............................... ..`.itext..|....0...................... ..`.data... ....@......................@....bss.....N...P.......,...................idata..N............,..............@....didata..............:..............@....tls.................<...................rdata...............<..............@..@.reloc...!......."...>..............@..B.rsrc................`..............@..@.............0.......x..............@..@........................................................

                                                                          C:\Program Files\Beyond Compare 5\BCompare.chm (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:MS Windows HtmlHelp Data
                                                                          Category:dropped
                                                                          Size (bytes):2720672
                                                                          Entropy (8bit):7.997122439099605
                                                                          Encrypted:true
                                                                          SSDEEP:49152:YcvtXdJMXhfkjuPmIIBzsxaUswo1vmtKl1S7j6YRPsJ22vpnWsoe1An6wl+VeU2f:YeXdY7PmIIBzPdqjzRPslpjAnh+xF5ur
                                                                          MD5:B24BA6D76DB32B11C9F93A47242D7FF0
                                                                          SHA1:EBC8358F5B3B72731AD6904B7CE3CB49E9CC5E02
                                                                          SHA-256:25AA79ADA9AE25FD21432D4470E857D95540198AD47B3CBF6C8D1AB5FD111698
                                                                          SHA-512:79086712AFC0AEEA3457C5D2327E737DB3F5FD935D02ECB70F3125CD2F8E7FA9DDB1E12BD0223B56C6CA36055142240AF0380D9BEE4AA90C3CB92DA7A027474E
                                                                          Malicious:false
                                                                          Preview:ITSF....`.........~%.......|.{.......".....|.{......."..`...............x.......TP.......P................).............ITSP....T...........................................j..].!......."..T...............PMGLA................/..../#IDXHDR....#.../#ITBITS..../#STRINGS......E./#SYSTEM....:./#TOPICS....#.p./#URLSTR....g.../#URLTBL......T./#WINDOWS....].T./$FIftiMain....a..B./$OBJINST....".?./$WWAssociativeLinks/..../$WWAssociativeLinks/BTree....C..L./$WWAssociativeLinks/Data......!./$WWAssociativeLinks/Map....0R./$WWAssociativeLinks/Property..... ./$WWKeywordLinks/..../$WWKeywordLinks/BTree....1..L./$WWKeywordLinks/Data....}.D./$WWKeywordLinks/Map....Ab./$WWKeywordLinks/Property....# ./3-way_merge_concepts.html...i.../accept.png...@.a./archive_files.html...l.'./bcclipmain.html.....~./bcclipmain.png....6.L./bcclipmain_zoom57.png......-./bcclipoptions.html.....Y./bcclipsystemtray.png...^.../bclogo.png....>.}./BCompare.hhc....;..M./BCompare.hhk......../bcshellex.html...j.f./browse.png....

                                                                          C:\Program Files\Beyond Compare 5\BCompare.exe (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):49653848
                                                                          Entropy (8bit):5.862140296411924
                                                                          Encrypted:false
                                                                          SSDEEP:196608:/XdPHlnRWoTcNuaJt7rj2vPUMq5TFHiQt328M7OF/OHHCbbE8v:/XdP9TcNuChj20MCT52D6QHHxK
                                                                          MD5:FCCFCBF8770ADB5B202955DDC140FA2D
                                                                          SHA1:84712A7CDD5DE29723E178B2AF3164C275FC839F
                                                                          SHA-256:24CF0E0C5292FBAC211D717CFED4E4D500E6AA836B88B55DAD8121C94D07B101
                                                                          SHA-512:1B458C81E8739E4EECE4F0D5A0076AA7FEBE9A64DBE0872D3E066CA95996C0FDFA51AE34737743349A2AF03001F8CC2406B1360BE83F50A8B46D979399468AF7
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...pi.g.........."......~....6...............@...........................................`..........@............... ...............`..q........{...............T...M...Z......................................(............................ ..><...................text....}.......~.................. ..`.data.....1.......1.................@....bss.....................................idata...{.......|..................@....didata.><... ...>..................@....edata..q....`.......B..............@..@.tls.........p...........................rdata..m............D..............@..@.reloc...............F..............@..B.pdata...T.......V...b..............@..@.rsrc...............................@..@....................................@..@

                                                                          C:\Program Files\Beyond Compare 5\License.html (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:HTML document, ASCII text, with very long lines (657), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8426
                                                                          Entropy (8bit):4.891243115846035
                                                                          Encrypted:false
                                                                          SSDEEP:96:7R2WDIZPVhQfhjPYAzGbECnwNaLb5lba1GNotQDKhjyei0QYpm9JKsHm:7ACjPYAcECwaz01Qd0QYpmv5Hm
                                                                          MD5:73ED25C52F8EFB2F4982C202BEF8C86A
                                                                          SHA1:F7F5712F785DA55FACAB47F3190E298C2E648EBB
                                                                          SHA-256:567A15377144A3BE77A1B8E6C2EC416860A065270C9C618A7788405300F1200A
                                                                          SHA-512:23D2BF7EB7255A0A8938C800427347C080FE4FE7A0FBC49760F961FBD8F46227C885136179C85F490D662D385A092890238389D5D0D26721F7F81D5AFADF7BDB
                                                                          Malicious:false
                                                                          Preview:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html lang=en>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">..<title>Beyond Compare License Agreement</title>..<style type="text/css">.. body {.. margin: 10px; padding: 0px;.. font-family: Arial, Helvetica, sans-serif;.. font-size: small;.. }.. h2 {.. font-size: large;.. font-weight: bold;.. border-bottom: 1px solid #66CC00;.. margin: 0px 0px 8px 0px;.. }.. h3 {.. font-size: small;.. font-weight: bold;.. margin: 6px 0px 2px 0px;.. }.. p {.. margin: 0px 0px 6px 0px;.. }....</style>..</head>..<body>..<h2>LICENSE AGREEMENT</h2>....<h3>Your use of Beyond Compare is governed by the following Terms and Conditions:</h3>..<br/>....<h3>Acceptance of License Agreement</h3>..<p>You ("Customer") should carefully read the following terms and conditions before using Beyond Compare 5 (the "Software").&nbsp;..Unless

                                                                          C:\Program Files\Beyond Compare 5\Patch.exe (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):123160
                                                                          Entropy (8bit):6.544919559125115
                                                                          Encrypted:false
                                                                          SSDEEP:3072:hIlX/11v+v6C62aktjgJlWLQjpeOMwas+:ulP11v+0zkjilWLSeOMwz+
                                                                          MD5:2BCE1CA54D031FACD5B10D5BD45F5D15
                                                                          SHA1:00FA8972A4A4169DF3B5AA27A05F6151A5278D7F
                                                                          SHA-256:8A6363E1377BD084ADD68445F796C83609BA27BD1B0A06CB339AC92F0B91EE0C
                                                                          SHA-512:872524C7463AD7B4D04EB52DB4EB82B50175B71627D2DEABE6A5D4CC151F50802279B26363F73E861EBC50E2E728322271B4C3D78ABB92ACD6E5A19DF556E93B
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....HF...............8.V...^...............p....@.......................................... ..........................................................)...........................................................................................text... U.......V.................. ..`.data........p.......Z..............@....rdata...?.......@...\..............@..@.bss.....................................idata..............................@....rsrc...............................@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files\Beyond Compare 5\PdfToText.exe (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1417304
                                                                          Entropy (8bit):6.044225317736702
                                                                          Encrypted:false
                                                                          SSDEEP:24576:CioXOMpKEyt2fSVjzw5smqgBTgRFB2BlX9EPoAYOQBHRipK7O:iXOMpKEYVjzwbqgBTFrX9BDOt
                                                                          MD5:0520A540933B681B29F3C643F7BBAF1A
                                                                          SHA1:2B5ED2F3309B6905FA593DD5BCE29469391CC1EA
                                                                          SHA-256:BC4A2F3B210F3BA9B5D832BABAF8745C5CD3B0B9B655FF5B524DBF0FD6197FEC
                                                                          SHA-512:4E9D546E608290446899403FD4FFE1444FA51603E9D648263E816147B08864F839D309AA821E7714EB59F6F62192A019D16B473A3C5E055E8E7C680D881D5E1B
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g)s_.G _.G _.G 2[C!I.G 2[D!N.G 2[B!..G ... [.G .nB!u.G .nC!M.G .nD!W.G 2[A!\.G 2[F!V.G _.F -.G .oC!^.G .oB!g.G .oE!^.G Rich_.G ................PE..d...]..e.........."......v..........dr.........@.....................................&....`.....................................................P.... ..x........n...F..XZ...0..\k...................................................................................text...Pu.......v.................. ..`.rdata..t ......."...z..............@..@.data...............................@....pdata...n.......p...d..............@..@.rsrc...x.... ......................@..@.reloc..\k...0...l..................@..B................................................................................................................................................................................................................................

                                                                          C:\Program Files\Beyond Compare 5\Readme.txt (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1418
                                                                          Entropy (8bit):4.5769171362673555
                                                                          Encrypted:false
                                                                          SSDEEP:24:LkrIbHR7Ii98EBsvyLMckMNZfGTcxDETAGFkpyka/3IjcQpbIWqgZv:LkrILx9yyL9dGRsGC4E32yR
                                                                          MD5:E2D1FE4AA1F667F4BA5A7013C8F7751D
                                                                          SHA1:2ABF264734098D9443BB4FC8483D743A1E109392
                                                                          SHA-256:EC3D96578D43FC8C5F1B3A451F9FC06FB6823AB34D89EF7FE34BBC5090426B0C
                                                                          SHA-512:60794E0ACA7B69D6B7A0AFC05E008ABA1C534B16CEBC0F251AF8EA2442E952723510A2F5B89EBFF15BE806C08B95232F28CBCE042AA306ECF4CE4083B514439B
                                                                          Malicious:false
                                                                          Preview:------------------------------------------------------------------------------..Beyond Compare 5..by Scooter Software www.scootersoftware.com..------------------------------------------------------------------------------....1. Description..--------------..Beyond Compare is a file and folder comparison utility for Windows. Use it to..visualize and reconcile differences, merge changes, and synchronize folders.......2. System Requirements..----------------------..This program runs under:..- Windows 10, Windows 10 x64..- Windows Server 2016..- Windows Server 2019..- Windows Server 2022..- Windows 11....Mac and Linux versions are also available on our website.......3. Evaluation Mode..------------------..You can evaluate Beyond Compare for free for 30 days (of actual use). After..30 days the program will require a license key to continue working.....For information on purchasing or upgrading a license, visit:.. https://www.scootersoftware.com/buynow.

                                                                          C:\Program Files\Beyond Compare 5\is-0TV5D.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):119448
                                                                          Entropy (8bit):6.7323637929399744
                                                                          Encrypted:false
                                                                          SSDEEP:3072:osHaM/wHVH6aARD1yyCDMu37RixMBjI7yW:osHL/w1Yq37RixMBjI7yW
                                                                          MD5:7508AC91F32709AE8FB76DF339518D89
                                                                          SHA1:44A44903C5F2E0D9360F0A2107A8A392A9B75E8A
                                                                          SHA-256:3136CCCF101A7210E3D530B09B635EE70BD645127EB914941BDCC9B58ABC3CED
                                                                          SHA-512:BFFB4219AC8837BA8FDDD7B56D80DA57B546F2C08330228D731E697B11810919322B94205AFAD1A5E9331C07E22D1CC91019FE8A915ACC7C28AA5507E2F5379F
                                                                          Malicious:false
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files\Beyond Compare 5\is-0TV5D.tmp, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.....................\.......1.......@....@..........................0......}.....@......@..............................N....................x...Z.......!..................................................................................text............................... ..`.itext..|....0...................... ..`.data... ....@......................@....bss.....N...P.......,...................idata..N............,..............@....didata..............:..............@....tls.................<...................rdata...............<..............@..@.reloc...!......."...>..............@..B.rsrc................`..............@..@.............0.......x..............@..@........................................................

                                                                          C:\Program Files\Beyond Compare 5\is-4MHOG.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1930840
                                                                          Entropy (8bit):6.33237636358266
                                                                          Encrypted:false
                                                                          SSDEEP:24576:aL9NgP+4hcdTDeM1EF7Jx2meoI4Tzp7iyeNgzd6Nv7XRiTo7l:Y9NgPjM1E7JPx+ye5j
                                                                          MD5:09DEBB1FCDFA60A9292B3ED9101E1070
                                                                          SHA1:0E43EAABCCED3BBEF5499E7AA8B7DEF490001695
                                                                          SHA-256:65B3E54E908AB565F01951C6FDA4BAC4A7DC9DF714787865DC8627C28EDF075E
                                                                          SHA-512:0B7037D664A10D91DC2027CF611201F8BEF96593E63EADAB697CD899D6F6948DC8F7BDC21AB8FEEE2673C59F4EB4528EC552E71E769997CEBBD33F5FD4272B00
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:=..Tn..Tn..Tn.J)n..Tn.J/n..Tn..Un..Tn.J:n0.Tn.J9n..TnYQPo..TnB.Wo..Tn.J.n..Tn.J(n..Tn.J,n..TnRich..Tn........................PE..d... .Jg.........." .....d................................................... ............`.....................................................x....@..p.......P?......XZ.......#...................................................................................text....c.......d.................. ..`.rdata..a............h..............@..@.data........ ......................@....pdata..P?.......@..................@..@.rsrc...p....@.......J..............@..@.reloc...6.......8..................@..B................................................................................................................................................................................................................................................

                                                                          C:\Program Files\Beyond Compare 5\is-7NT86.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1418
                                                                          Entropy (8bit):4.5769171362673555
                                                                          Encrypted:false
                                                                          SSDEEP:24:LkrIbHR7Ii98EBsvyLMckMNZfGTcxDETAGFkpyka/3IjcQpbIWqgZv:LkrILx9yyL9dGRsGC4E32yR
                                                                          MD5:E2D1FE4AA1F667F4BA5A7013C8F7751D
                                                                          SHA1:2ABF264734098D9443BB4FC8483D743A1E109392
                                                                          SHA-256:EC3D96578D43FC8C5F1B3A451F9FC06FB6823AB34D89EF7FE34BBC5090426B0C
                                                                          SHA-512:60794E0ACA7B69D6B7A0AFC05E008ABA1C534B16CEBC0F251AF8EA2442E952723510A2F5B89EBFF15BE806C08B95232F28CBCE042AA306ECF4CE4083B514439B
                                                                          Malicious:false
                                                                          Preview:------------------------------------------------------------------------------..Beyond Compare 5..by Scooter Software www.scootersoftware.com..------------------------------------------------------------------------------....1. Description..--------------..Beyond Compare is a file and folder comparison utility for Windows. Use it to..visualize and reconcile differences, merge changes, and synchronize folders.......2. System Requirements..----------------------..This program runs under:..- Windows 10, Windows 10 x64..- Windows Server 2016..- Windows Server 2019..- Windows Server 2022..- Windows 11....Mac and Linux versions are also available on our website.......3. Evaluation Mode..------------------..You can evaluate Beyond Compare for free for 30 days (of actual use). After..30 days the program will require a license key to continue working.....For information on purchasing or upgrading a license, visit:.. https://www.scootersoftware.com/buynow.

                                                                          C:\Program Files\Beyond Compare 5\is-7ONVI.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1417304
                                                                          Entropy (8bit):6.044225317736702
                                                                          Encrypted:false
                                                                          SSDEEP:24576:CioXOMpKEyt2fSVjzw5smqgBTgRFB2BlX9EPoAYOQBHRipK7O:iXOMpKEYVjzwbqgBTFrX9BDOt
                                                                          MD5:0520A540933B681B29F3C643F7BBAF1A
                                                                          SHA1:2B5ED2F3309B6905FA593DD5BCE29469391CC1EA
                                                                          SHA-256:BC4A2F3B210F3BA9B5D832BABAF8745C5CD3B0B9B655FF5B524DBF0FD6197FEC
                                                                          SHA-512:4E9D546E608290446899403FD4FFE1444FA51603E9D648263E816147B08864F839D309AA821E7714EB59F6F62192A019D16B473A3C5E055E8E7C680D881D5E1B
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g)s_.G _.G _.G 2[C!I.G 2[D!N.G 2[B!..G ... [.G .nB!u.G .nC!M.G .nD!W.G 2[A!\.G 2[F!V.G _.F -.G .oC!^.G .oB!g.G .oE!^.G Rich_.G ................PE..d...]..e.........."......v..........dr.........@.....................................&....`.....................................................P.... ..x........n...F..XZ...0..\k...................................................................................text...Pu.......v.................. ..`.rdata..t ......."...z..............@..@.data...............................@....pdata...n.......p...d..............@..@.rsrc...x.... ......................@..@.reloc..\k...0...l..................@..B................................................................................................................................................................................................................................

                                                                          C:\Program Files\Beyond Compare 5\is-8736U.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1262808
                                                                          Entropy (8bit):6.632499883121238
                                                                          Encrypted:false
                                                                          SSDEEP:24576:sN5UJV9oW9ZA1mYB8IVt2cRsZWteJRinG7Q:01VtvsZhY
                                                                          MD5:13681B409B6DF2DED5571078B2D57D83
                                                                          SHA1:DD428A73A748D83482C4D2426FE95D6BD7920DDA
                                                                          SHA-256:85B973702360FF9C1B13EE84F1E4986CC7BA2B11573B7E9662F4F9A3157F54B2
                                                                          SHA-512:86792D3188B2394A714435C210644EBAFD728344A8B0B25B80141CCDDBB4DCF7ABF643D1D7F84ED53704F1F7621C7A403CA8FCFBAAA9398074EC47F697B36AFB
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....Xg...........!.........&....................@.................................mp....@.............................3.......l........................Z... ..@p...................................................................................text............................... ..`.itext..(........................... ..`.data...p...........................@....bss.....k...`...........................idata..l............R..............@....didata..............f..............@....edata..3............n..............@..@.rdata..E............p..............@..@.reloc..@p... ...r...r..............@..B.rsrc...............................@..@....................................@..@........................................................

                                                                          C:\Program Files\Beyond Compare 5\is-B0TDO.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):125592
                                                                          Entropy (8bit):6.634157139790098
                                                                          Encrypted:false
                                                                          SSDEEP:3072:Lc3qMW05nHiKF3p6pDrt4FqHDehyIHybuQ7RiWBG7k:Lc3bRndhqqtQ7RiWBG7k
                                                                          MD5:DAFC26D851AAF5DC61202241B4A8BB82
                                                                          SHA1:A6E84F72733951274496E775B36F357047EF6304
                                                                          SHA-256:D8D9D88A203FEB473761B54F0979520D405BAF198EA2EEE59833A8E1E0359CC9
                                                                          SHA-512:D488CBE586CA7E8E71D5EB24FC9F5071EDC2BD74E5B7489610D823698C14CF560FE81F9DEB87371B2231A4AC3DE8B5213F1DF56D4A770BF83A1D88A483767955
                                                                          Malicious:false
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files\Beyond Compare 5\is-B0TDO.tmp, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.....................^.......A.......P....@..........................@............@......@..............................$.... ...................Z......d"...................................................................................text...,&.......(.................. ..`.itext.......@.......,.............. ..`.data... ....P.......2..............@....bss.....N...`.......B...................idata..$............B..............@....didata..............P..............@....tls.................R...................rdata...............R..............@..@.reloc..d".......$...T..............@..B.rsrc........ .......x..............@..@.............@......................@..@........................................................

                                                                          C:\Program Files\Beyond Compare 5\is-B8GAS.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):49653848
                                                                          Entropy (8bit):5.862140296411924
                                                                          Encrypted:false
                                                                          SSDEEP:196608:/XdPHlnRWoTcNuaJt7rj2vPUMq5TFHiQt328M7OF/OHHCbbE8v:/XdP9TcNuChj20MCT52D6QHHxK
                                                                          MD5:FCCFCBF8770ADB5B202955DDC140FA2D
                                                                          SHA1:84712A7CDD5DE29723E178B2AF3164C275FC839F
                                                                          SHA-256:24CF0E0C5292FBAC211D717CFED4E4D500E6AA836B88B55DAD8121C94D07B101
                                                                          SHA-512:1B458C81E8739E4EECE4F0D5A0076AA7FEBE9A64DBE0872D3E066CA95996C0FDFA51AE34737743349A2AF03001F8CC2406B1360BE83F50A8B46D979399468AF7
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...pi.g.........."......~....6...............@...........................................`..........@............... ...............`..q........{...............T...M...Z......................................(............................ ..><...................text....}.......~.................. ..`.data.....1.......1.................@....bss.....................................idata...{.......|..................@....didata.><... ...>..................@....edata..q....`.......B..............@..@.tls.........p...........................rdata..m............D..............@..@.reloc...............F..............@..B.pdata...T.......V...b..............@..@.rsrc...............................@..@....................................@..@

                                                                          C:\Program Files\Beyond Compare 5\is-BS8MP.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1366168
                                                                          Entropy (8bit):6.415840843991004
                                                                          Encrypted:false
                                                                          SSDEEP:24576:4xsUzfNDznSjBSNiwHkWHvQYmBnSkFWBwCPnqkUPRF1QI51kyZnjLRiFj7s:yRcZSfnqkARr5/kyJp
                                                                          MD5:CAD58CCC9D60022AF4585A9637FC7CDC
                                                                          SHA1:A32160A26818F54F7F3F3C821E7CED9574E56EE2
                                                                          SHA-256:B9AFA25753471020288F1503D78A475C4686C0B17B82AFBD7D15A8BCD37A602C
                                                                          SHA-512:2ABC06821FD0249888210E96E2632B32567114B7404DC146A510397F928EC3C9155DCB0B3F54D8A92CD8169E4B606754D6CD829596073FA75F6A6FC19C19F637
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....h.g..........................................@..........................@.......u....@......@...............................4...0...............~...Z.......6...................................................................................text...4........................... ..`.itext.............................. ..`.data...,'.......(..................@....bss.... S... ...........................idata...4.......4..................@....didata..............2..............@....tls....<............6...................rdata...............6..............@..@.reloc...6.......8...8..............@..B.rsrc........0.......p..............@..@.............@.......~..............@..@........................................................

                                                                          C:\Program Files\Beyond Compare 5\is-C1132.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):117919
                                                                          Entropy (8bit):7.9325422846055975
                                                                          Encrypted:false
                                                                          SSDEEP:3072:GrD+cDwi1NgdocNRKwzGJDY33k24cZVQIglJ:EHNgicmI3k5MVQI6
                                                                          MD5:D0E6160F95DEC7D8144FBDFFEC363A70
                                                                          SHA1:4296E529D38E58FF061224D16D9C40FEB383518F
                                                                          SHA-256:4451C04DBA74A54CBEE5DF7EB7431E9A3EE6E18F7126FFAE0C06EF3CB1EE4F74
                                                                          SHA-512:1AE2BF4E11D2D8C201773C0B71173D2751E40B03D1D49A8ADBB3CA75A3DB2E1A03CCE481B95D85C5AEC239B5BEC0D4E35179D3526D41D63CE20DF9443FBAEA12
                                                                          Malicious:false
                                                                          Preview:VCL_STYLE 2.0x....-E}..?.0y pd...D.4 (....8a..............u..A x..&.8].z..b$.k.....W.5...|.E}.,s1.......jW.......w........tUu..+++..\.r..W._y..+G......\.r...+...\....{...l...+.i..-..wn..]n.:..u...2..R..X.....<.^.../v.x.....M%..i..ie3....).]y..+....n.....,.\.j.j..F{..l#/Y.v....W..............................................................................................................................................................................R#....c.W9.....F..zm4..M...k.x.............a{.c..<.".'.h.......r...{.z....v.K..].....ZP?u.y.q...1.,.7..uB.;..v2.o..W..).^.....v......=.8.P..2.4.nt.GmL....\.6.1....yp9Elc<.x.q....)k.n.[.!n.r.l........?..v.+...^.3.`...0N4^g.....C..>u.k.e.....eQ..]..._l.]KV...8.........h]..`..m......z.....k.=..2.Q....m......m\d........A..bh..w4..............\`.3B..^..>..^.n..~....FW.....!..|..}R[DW=...\..?....3...r.......tM~.1.^m....w|}....Zo7.m.........i.1.............0.7.k4.c....M..i7.....b......W...O.m.....

                                                                          C:\Program Files\Beyond Compare 5\is-C1RH0.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:Zip archive data, at least v4.5 to extract, compression method=store
                                                                          Category:dropped
                                                                          Size (bytes):715123
                                                                          Entropy (8bit):7.9928260409748075
                                                                          Encrypted:true
                                                                          SSDEEP:12288:OU4TwJo1F8i3GRknwVwYdv7ZDJk4eeWZnDW0Fo+OTVt40QgXNo22MOSNrX6hOZ:OXTwJIP3WTTvneeWZW0Foj2gXN+TSp6c
                                                                          MD5:724D51EE993917769408C4E95FBBA467
                                                                          SHA1:97831B365920005EFE9E6DEF3E42EFD80171F5AE
                                                                          SHA-256:8CD9DD80BF4EF277EB98C60E62A60FEA549D831B19E16B386378B5B4DEADA3D2
                                                                          SHA-512:5DC0E55CFE9A363A7ACFD04485AC52A0E69939E52477B339D1BDEE4D590FA5055D1C849824A90C53895F65DA6C9F925BBC62FC3C4E7816BE8CBC66070B98D315
                                                                          Malicious:false
                                                                          Preview:PK..-.....Ru.Y................Assets/Logo_44x44.png.PNG........IHDR...,...,.......Z.....sRGB.........gAMA......a.....pHYs...........k.....IDATXG.Xkp\.y~....Z..eY..c.l......$........M.t..G...v.!..N.L...h...[2.mH.pKc.....dK.l.eI.+...<.RS..~.W..|....^.c.}.H$j..V..?...z..k]....jMTZ..Z..*.)...u..+UX.........{...r.3.....p,na-...q....{....A...uQ.V....i4!....B....).\.{<......D.%....3..2..=....7..P p...y..qo......h.A.%....{kM C.....t...f.a...F......S.o.".?..c.Mu....=..+..P,..b....qYh...h.G...(R....-.Y.N.:K...l..u4.<58H.B...H.5:....{..r....p}.i.w....'...N..>9.....x.!Pw...Z..`].."0#|......"}.....E.l.oLM....x.w...S..{..z....>..o.7.~.sv..'@bWo.o........&...0^.Z.e....:.W.U(eJ...<J.|.g.J.M.-*.r..x....,...im...,.J?.e..3g..X......ur..>Kkv..lr...7FG....|h..A.....F._..:.k._.......^.y.AP......9F.]...F.X...,.P$.h4.;r.....w......v...-=..p2...#..ox....#...oX.4P...R..e.I..."Z...$....C...R.m.,...-)l......S..S.P.:.x.S.......>....,m.:.z.../........{xb|...n...f...-...pUJ..y

                                                                          C:\Program Files\Beyond Compare 5\is-EC3JI.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):370328
                                                                          Entropy (8bit):6.426476554245018
                                                                          Encrypted:false
                                                                          SSDEEP:6144:AnQk0v5/LzRHfrZd1TpoJTUeseXYurugyh3K/46S37I0RIs5XqiBgl5:Q0v5/LNTZsTUesCYuru24vIx/V
                                                                          MD5:D4766BF4D268E29FCCD2F2259937704A
                                                                          SHA1:72EDA4FCB6B46D5BB278CE9B71A3E9590A19BC8E
                                                                          SHA-256:94DEAB13E51C952F027D394A3EA4405AC89C4E4B194F5BD71290234E805B2E26
                                                                          SHA-512:E68EDD8B1A6613FB06B3FA7BAC902D10C1AA79857CA12DD4605A57C2EAE1639EFD80418A3D127DF0782E369A5DD3CDB53360AC2F15D9103F70E68CF82EF2374D
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......n.6.*.X.*.X.*.X...../.X.....T.X.....'.X...\.:.X...[. .X.#..+.X...]...X.#..%.X.*.Y...X...]...X...X.+.X...+.X.*..+.X...Z.+.X.Rich*.X.........................PE..d...u.@f.........." ...!.0...........f.......................................@....... ....`A.........................................%..t....&..x.... ...............~...(...0..........T.......................(.......@............@..P............................text...n/.......0.................. ..`.rdata.......@.......4..............@..@.data.......@.......*..............@....pdata...........0...>..............@..@_RDATA..\............n..............@..@.rsrc........ .......p..............@..@.reloc.......0.......v..............@..B........................................................................................................................................................................

                                                                          C:\Program Files\Beyond Compare 5\is-FDK6U.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:MS Windows HtmlHelp Data
                                                                          Category:dropped
                                                                          Size (bytes):2720672
                                                                          Entropy (8bit):7.997122439099605
                                                                          Encrypted:true
                                                                          SSDEEP:49152:YcvtXdJMXhfkjuPmIIBzsxaUswo1vmtKl1S7j6YRPsJ22vpnWsoe1An6wl+VeU2f:YeXdY7PmIIBzPdqjzRPslpjAnh+xF5ur
                                                                          MD5:B24BA6D76DB32B11C9F93A47242D7FF0
                                                                          SHA1:EBC8358F5B3B72731AD6904B7CE3CB49E9CC5E02
                                                                          SHA-256:25AA79ADA9AE25FD21432D4470E857D95540198AD47B3CBF6C8D1AB5FD111698
                                                                          SHA-512:79086712AFC0AEEA3457C5D2327E737DB3F5FD935D02ECB70F3125CD2F8E7FA9DDB1E12BD0223B56C6CA36055142240AF0380D9BEE4AA90C3CB92DA7A027474E
                                                                          Malicious:false
                                                                          Preview:ITSF....`.........~%.......|.{.......".....|.{......."..`...............x.......TP.......P................).............ITSP....T...........................................j..].!......."..T...............PMGLA................/..../#IDXHDR....#.../#ITBITS..../#STRINGS......E./#SYSTEM....:./#TOPICS....#.p./#URLSTR....g.../#URLTBL......T./#WINDOWS....].T./$FIftiMain....a..B./$OBJINST....".?./$WWAssociativeLinks/..../$WWAssociativeLinks/BTree....C..L./$WWAssociativeLinks/Data......!./$WWAssociativeLinks/Map....0R./$WWAssociativeLinks/Property..... ./$WWKeywordLinks/..../$WWKeywordLinks/BTree....1..L./$WWKeywordLinks/Data....}.D./$WWKeywordLinks/Map....Ab./$WWKeywordLinks/Property....# ./3-way_merge_concepts.html...i.../accept.png...@.a./archive_files.html...l.'./bcclipmain.html.....~./bcclipmain.png....6.L./bcclipmain_zoom57.png......-./bcclipoptions.html.....Y./bcclipsystemtray.png...^.../bclogo.png....>.}./BCompare.hhc....;..M./BCompare.hhk......../bcshellex.html...j.f./browse.png....

                                                                          C:\Program Files\Beyond Compare 5\is-GGN2U.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1971416
                                                                          Entropy (8bit):5.992517161974482
                                                                          Encrypted:false
                                                                          SSDEEP:24576:QmMDEg4t6+FP71CaxX1xD/7hocCBH6N7OijrbiRim37E:uzW6+FhbocCBHkFd
                                                                          MD5:05EC4723A1800A7EC750EC6798211C64
                                                                          SHA1:865947AA01DC6EF456D9F0BA2BD2123D6AF30C22
                                                                          SHA-256:FBCF18C63386F2E1F65C7231055DB8BFFADFC8FA3B299617E0EA5AB203FE0AF7
                                                                          SHA-512:BA0BBF2752A80D0C8458E51E68BA940E3CE3CE25B91BE62743CDD153F337898E69CBA0AD073205FBD7BF5526C14B74B84B7A58246A485174B7567CEA3110A480
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....Xg.........." .....F...p................@.....................................W.....`.......................... ..................3....................`...i.......Z...0...,..................................................X................................text....D.......F.................. ..`.data...0....`.......J..............@....bss....,................................idata..............................@....didata.............................@....edata..3...........................@..@.rdata..E.... ......................@..@.reloc...,...0......................@..B.pdata...i...`...j...L..............@..@.rsrc...............................@..@....................................@..@........................................

                                                                          C:\Program Files\Beyond Compare 5\is-JQNIL.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3696328
                                                                          Entropy (8bit):6.520608646636147
                                                                          Encrypted:false
                                                                          SSDEEP:49152:cjk49uHREeaiWBwS+7XLr2KE0WmF484FdJlmZg8psz1OfMkQTQsm9bj7KRg3337g:Mk49uxdPWiWmF4lkQTQiRg3337oMe
                                                                          MD5:A25B91D7630476A0FD62AF6290460D8C
                                                                          SHA1:2ECC25942594862971A53CE1D810B1DE8DC0BFC8
                                                                          SHA-256:623F17639D449D0D08AD1EA2634E64CE3F5E4852A6737B262019C5F3AA81A7E3
                                                                          SHA-512:3A1354A8D80B0808C337BE2008AA72A212248CF699543BA953191B304AEAE75B24966736BABBBB059BD70D97F526F53A7A4B4BC667764C123DE4FF7F31C1B76E
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....h.g.................2+..........K+......P+...@...........................8......%9...@......@....................,.n....p,..<....0.,.............8..Z....,...............................,.....................Dz,.,.....,.(....................text.....+.......+................. ..`.itext..,.... +..0....+............. ..`.data........P+......6+.............@....bss.....|....+..........................idata...<...p,..>....+.............@....didata.(.....,.......,.............@....edata..n.....,......$,.............@..@.tls....X.....,..........................rdata..].....,......&,.............@..@.reloc........,......(,.............@..B.rsrc...,.....0.......0.............@..@..............4.......3.............@..@................

                                                                          C:\Program Files\Beyond Compare 5\is-K6QSQ.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):12008
                                                                          Entropy (8bit):7.157374186094153
                                                                          Encrypted:false
                                                                          SSDEEP:96:AX66dTwGynmRnlm2mnHFQcqEVdup4dise+KejvaIWcaiOg23E6gR7s4M4Nm2mnHs:3lnmBI2EP7j+g2mC2E1g2zex7jQM
                                                                          MD5:5F5BD32E847B2A2E07D20545B53E8F26
                                                                          SHA1:3D1D6811298457A586D40B01373331A0F1E415F2
                                                                          SHA-256:BAD829ECBB2A24EFD25143311CA6B11D7C74BB565014F12AB964965F8AE9F1EB
                                                                          SHA-512:4B8EA4538B7836AA9A33CAFD11825F257963A2E510EAD503A525DF5939FE11A612E5EB23E17D9D5F9AB691B48F62AFA0C01CD650DFE796C695CB3431D9A9F704
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... ... ... ... ... ...V... ..Rich. ..........PE..d...j..W.........." ......................................................... ......).....@..............................................................................(...........................................................................................rsrc...............................@..@.....................................p.W.....................p.W............0........p.W............H...X.................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............................................................S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.4.0.9.0.4.E.4...B.....C.o.m.p.a.n.y.N.a.m.e.....S.c.o.o.t.e.r. .S.o.f.t.w.a.r.e.....f.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....D.i.s.a.b.l.e. .M.i.c.r.o.s.o.f.t. ...N.E.T. .R.u.n.t.i.m.e.....0.....F.i.l.e.V.e.r.s.i.o.n.....1...0...0...0...t.(...L.e.g.a.l.C.o.p.y.r.i.

                                                                          C:\Program Files\Beyond Compare 5\is-N3K06.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):123160
                                                                          Entropy (8bit):6.544919559125115
                                                                          Encrypted:false
                                                                          SSDEEP:3072:hIlX/11v+v6C62aktjgJlWLQjpeOMwas+:ulP11v+0zkjilWLSeOMwz+
                                                                          MD5:2BCE1CA54D031FACD5B10D5BD45F5D15
                                                                          SHA1:00FA8972A4A4169DF3B5AA27A05F6151A5278D7F
                                                                          SHA-256:8A6363E1377BD084ADD68445F796C83609BA27BD1B0A06CB339AC92F0B91EE0C
                                                                          SHA-512:872524C7463AD7B4D04EB52DB4EB82B50175B71627D2DEABE6A5D4CC151F50802279B26363F73E861EBC50E2E728322271B4C3D78ABB92ACD6E5A19DF556E93B
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....HF...............8.V...^...............p....@.......................................... ..........................................................)...........................................................................................text... U.......V.................. ..`.data........p.......Z..............@....rdata...?.......@...\..............@..@.bss.....................................idata..............................@....rsrc...............................@...................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Program Files\Beyond Compare 5\is-NUJ04.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:HTML document, ASCII text, with very long lines (657), with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):8426
                                                                          Entropy (8bit):4.891243115846035
                                                                          Encrypted:false
                                                                          SSDEEP:96:7R2WDIZPVhQfhjPYAzGbECnwNaLb5lba1GNotQDKhjyei0QYpm9JKsHm:7ACjPYAcECwaz01Qd0QYpmv5Hm
                                                                          MD5:73ED25C52F8EFB2F4982C202BEF8C86A
                                                                          SHA1:F7F5712F785DA55FACAB47F3190E298C2E648EBB
                                                                          SHA-256:567A15377144A3BE77A1B8E6C2EC416860A065270C9C618A7788405300F1200A
                                                                          SHA-512:23D2BF7EB7255A0A8938C800427347C080FE4FE7A0FBC49760F961FBD8F46227C885136179C85F490D662D385A092890238389D5D0D26721F7F81D5AFADF7BDB
                                                                          Malicious:false
                                                                          Preview:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">..<html lang=en>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">..<title>Beyond Compare License Agreement</title>..<style type="text/css">.. body {.. margin: 10px; padding: 0px;.. font-family: Arial, Helvetica, sans-serif;.. font-size: small;.. }.. h2 {.. font-size: large;.. font-weight: bold;.. border-bottom: 1px solid #66CC00;.. margin: 0px 0px 8px 0px;.. }.. h3 {.. font-size: small;.. font-weight: bold;.. margin: 6px 0px 2px 0px;.. }.. p {.. margin: 0px 0px 6px 0px;.. }....</style>..</head>..<body>..<h2>LICENSE AGREEMENT</h2>....<h3>Your use of Beyond Compare is governed by the following Terms and Conditions:</h3>..<br/>....<h3>Acceptance of License Agreement</h3>..<p>You ("Customer") should carefully read the following terms and conditions before using Beyond Compare 5 (the "Software").&nbsp;..Unless

                                                                          C:\Program Files\Beyond Compare 5\is-RE1S8.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):54597
                                                                          Entropy (8bit):4.772611567187478
                                                                          Encrypted:false
                                                                          SSDEEP:1536:sZYGp3X5ZkFxJ370ajaQZZb8evQRjBFbHV5TK8P+kok5x4HQRDjvS2atNwnI0o+j:WX5ZkFxJ3cknOV
                                                                          MD5:292398D9661F062C0722EB1E2BEE533C
                                                                          SHA1:531254FDB896E4D1B1765C14CFF358A07406925A
                                                                          SHA-256:B23EE940D784C8A2220837612226247539299A42F78A6FD5F47635EFDB63CA4D
                                                                          SHA-512:55BA618278A0946F3CE30A535DD0565F70C46057A203B23417C535FC5C694E2A8B1D90ECB1F863790B458730DABC7B247E5378906B425FCA0EFCC4034F5DD318
                                                                          Malicious:false
                                                                          Preview:# This file maps Internet media types to unique file extension(s)...# Although created for httpd, this file is used by many software systems..# and has been placed in the public domain for unlimited redisribution...#..# The table below contains both registered and (common) unregistered types...# A type that has no unique extension can be ignored -- they are listed..# here to guide configurations toward known types and to make it easier to..# identify "new" types. File extensions are also commonly used to indicate..# content languages and encodings, so choose them carefully...#..# Internet media types should be registered as described in RFC 4288...# The registry is at <http://www.iana.org/assignments/media-types/>...#..# MIME type (lowercased)...Extensions..# ============================================.==========..# application/1d-interleaved-parityfec..# application/3gpp-ims+xml..# application/activemessage..application/andrew-inset...ez..# application/applefile..application/applixw

                                                                          C:\Program Files\Beyond Compare 5\mime.types (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):54597
                                                                          Entropy (8bit):4.772611567187478
                                                                          Encrypted:false
                                                                          SSDEEP:1536:sZYGp3X5ZkFxJ370ajaQZZb8evQRjBFbHV5TK8P+kok5x4HQRDjvS2atNwnI0o+j:WX5ZkFxJ3cknOV
                                                                          MD5:292398D9661F062C0722EB1E2BEE533C
                                                                          SHA1:531254FDB896E4D1B1765C14CFF358A07406925A
                                                                          SHA-256:B23EE940D784C8A2220837612226247539299A42F78A6FD5F47635EFDB63CA4D
                                                                          SHA-512:55BA618278A0946F3CE30A535DD0565F70C46057A203B23417C535FC5C694E2A8B1D90ECB1F863790B458730DABC7B247E5378906B425FCA0EFCC4034F5DD318
                                                                          Malicious:false
                                                                          Preview:# This file maps Internet media types to unique file extension(s)...# Although created for httpd, this file is used by many software systems..# and has been placed in the public domain for unlimited redisribution...#..# The table below contains both registered and (common) unregistered types...# A type that has no unique extension can be ignored -- they are listed..# here to guide configurations toward known types and to make it easier to..# identify "new" types. File extensions are also commonly used to indicate..# content languages and encodings, so choose them carefully...#..# Internet media types should be registered as described in RFC 4288...# The registry is at <http://www.iana.org/assignments/media-types/>...#..# MIME type (lowercased)...Extensions..# ============================================.==========..# application/1d-interleaved-parityfec..# application/3gpp-ims+xml..# application/activemessage..application/andrew-inset...ez..# application/applefile..application/applixw

                                                                          C:\Program Files\Beyond Compare 5\mscoree.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):12008
                                                                          Entropy (8bit):7.157374186094153
                                                                          Encrypted:false
                                                                          SSDEEP:96:AX66dTwGynmRnlm2mnHFQcqEVdup4dise+KejvaIWcaiOg23E6gR7s4M4Nm2mnHs:3lnmBI2EP7j+g2mC2E1g2zex7jQM
                                                                          MD5:5F5BD32E847B2A2E07D20545B53E8F26
                                                                          SHA1:3D1D6811298457A586D40B01373331A0F1E415F2
                                                                          SHA-256:BAD829ECBB2A24EFD25143311CA6B11D7C74BB565014F12AB964965F8AE9F1EB
                                                                          SHA-512:4B8EA4538B7836AA9A33CAFD11825F257963A2E510EAD503A525DF5939FE11A612E5EB23E17D9D5F9AB691B48F62AFA0C01CD650DFE796C695CB3431D9A9F704
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... ... ... ... ... ...V... ..Rich. ..........PE..d...j..W.........." ......................................................... ......).....@..............................................................................(...........................................................................................rsrc...............................@..@.....................................p.W.....................p.W............0........p.W............H...X.................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............................................................S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.4.0.9.0.4.E.4...B.....C.o.m.p.a.n.y.N.a.m.e.....S.c.o.o.t.e.r. .S.o.f.t.w.a.r.e.....f.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....D.i.s.a.b.l.e. .M.i.c.r.o.s.o.f.t. ...N.E.T. .R.u.n.t.i.m.e.....0.....F.i.l.e.V.e.r.s.i.o.n.....1...0...0...0...t.(...L.e.g.a.l.C.o.p.y.r.i.

                                                                          C:\Program Files\Beyond Compare 5\unins000.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:InnoSetup Log 64-bit Beyond Compare 5, version 0x418, 27115 bytes, 932923\37\user\376, C:\Program Files\Beyond Compare 5\376\377\
                                                                          Category:dropped
                                                                          Size (bytes):27115
                                                                          Entropy (8bit):4.126925558513182
                                                                          Encrypted:false
                                                                          SSDEEP:384:oXr7X9svIojZlg+WwcmT+DIg/vifvYm4QxbMbPIx5nGWANEhqkkkqE3xdQaEanHY:oX39iuIRYsobPZJ
                                                                          MD5:E97946309DF432729E799676BF58AA6D
                                                                          SHA1:C06CB480F592A621A64B5B7923A62387EB985D62
                                                                          SHA-256:9B5BCCC14EDE0351548C9AB1BBD644596A56F29F821D9087D0A9925D6C5D042F
                                                                          SHA-512:2F0170797D92D743EA212C13DAFA6DBFB4D53BBC51491AC5C40523F0B1AFF74C1AF3B8C5FF4ABE470E9CA6E30CB2EA45ED0358963766BBAD75C4160EEA877AC7
                                                                          Malicious:false
                                                                          Preview:Inno Setup Uninstall Log (b) 64-bit.............................BeyondCompare5..................................................................................................................Beyond Compare 5....................................................................................................................-....i..................................................................................................................J...........@.j.......}........9.3.2.9.2.3......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.e.y.o.n.d. .C.o.m.p.a.r.e. .5................8.(.... ......T.......IFPS....2...n....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TNEWSTATICTEXT....TNEWSTATICTEXT.........TINPUTOPTIONWI

                                                                          C:\Program Files\Beyond Compare 5\unins000.exe (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3696328
                                                                          Entropy (8bit):6.520608646636147
                                                                          Encrypted:false
                                                                          SSDEEP:49152:cjk49uHREeaiWBwS+7XLr2KE0WmF484FdJlmZg8psz1OfMkQTQsm9bj7KRg3337g:Mk49uxdPWiWmF4lkQTQiRg3337oMe
                                                                          MD5:A25B91D7630476A0FD62AF6290460D8C
                                                                          SHA1:2ECC25942594862971A53CE1D810B1DE8DC0BFC8
                                                                          SHA-256:623F17639D449D0D08AD1EA2634E64CE3F5E4852A6737B262019C5F3AA81A7E3
                                                                          SHA-512:3A1354A8D80B0808C337BE2008AA72A212248CF699543BA953191B304AEAE75B24966736BABBBB059BD70D97F526F53A7A4B4BC667764C123DE4FF7F31C1B76E
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....h.g.................2+..........K+......P+...@...........................8......%9...@......@....................,.n....p,..<....0.,.............8..Z....,...............................,.....................Dz,.,.....,.(....................text.....+.......+................. ..`.itext..,.... +..0....+............. ..`.data........P+......6+.............@....bss.....|....+..........................idata...<...p,..>....+.............@....didata.(.....,.......,.............@....edata..n.....,......$,.............@..@.tls....X.....,..........................rdata..].....,......&,.............@..@.reloc........,......(,.............@..B.rsrc...,.....0.......0.............@..@..............4.......3.............@..@................

                                                                          C:\Program Files\Beyond Compare 5\unins000.msg

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
                                                                          Category:dropped
                                                                          Size (bytes):24597
                                                                          Entropy (8bit):3.2849959416774195
                                                                          Encrypted:false
                                                                          SSDEEP:192:Z1EjNSCkf3SCqsTr6CCPanAG1tzUcTqL7VF+Iqfc51U5YQDztXfbKJG/Bfvo:Z1EK6CHr6fTCqX+7Q1U5YQDztB/B3o
                                                                          MD5:D49B64C08678A45DE3120E8DE71ABB96
                                                                          SHA1:E3971EEA301F897F9C6347B2C29C468188DFA4A1
                                                                          SHA-256:E92963DEA654D2BA4FF432DCE8710576E61002D3057746E2261524B3E30BE097
                                                                          SHA-512:AB97C4B1496B43558FE79705C2FE22B368F0CC5CACF9B6DB321474588AEBDC1F41FAD13648C2969663CDE2EF07E0CF2D49883D888FC9649F2E71090DD2EAD593
                                                                          Malicious:false
                                                                          Preview:Inno Setup Messages (6.0.0) (u)......................................_..7....1..C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Beyond Compare 5.lnk

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Jan 15 23:56:41 2025, mtime=Wed Jan 15 23:56:42 2025, atime=Thu Jan 9 22:27:42 2025, length=49653848, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):921
                                                                          Entropy (8bit):4.589785248138583
                                                                          Encrypted:false
                                                                          SSDEEP:24:8msSldKKaH8pyUUAlrd+8pVgd+8pd7Bm:8m3dKVH8pyUjlrd+8pVgd+8pX
                                                                          MD5:9D6D6764B1BF3A1C86C94B5509310739
                                                                          SHA1:331E8EDB7B7F4C586D6AEA81FF4235187078E5C0
                                                                          SHA-256:B73FDADDD6091F9C6C64FAEE13C05CDE05558287AF4F581DDE5F5C2DB58809AA
                                                                          SHA-512:25AFA9795E45A432686401235E359D4CE071B23ACED5497C0E0A52CB9099D52B68A2306538DF552FC39678F2D7281A894011DDDAD46C9576298457BA38C2B416
                                                                          Malicious:false
                                                                          Preview:L..................F.... ....d..g...H#..g....N..b..X............................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDWQ`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....0Z....BEYOND~1..R......0Z..0Z...............................B.e.y.o.n.d. .C.o.m.p.a.r.e. .5.....f.2.X...)Zu. .BCompare.exe..J......0Z..0Z......z.........................B.C.o.m.p.a.r.e...e.x.e.......]...............-.......\..............!.....C:\Program Files\Beyond Compare 5\BCompare.exe..:.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.e.y.o.n.d. .C.o.m.p.a.r.e. .5.\.B.C.o.m.p.a.r.e...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.e.y.o.n.d. .C.o.m.p.a.r.e. .5.`.......X.......932923...........hT..CrF.f4... .U........,.......hT..CrF.f4... .U........,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                          C:\Users\Public\Desktop\Beyond Compare 5.lnk

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Jan 15 23:56:41 2025, mtime=Wed Jan 15 23:56:44 2025, atime=Thu Jan 9 22:27:42 2025, length=49653848, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):909
                                                                          Entropy (8bit):4.578857434433871
                                                                          Encrypted:false
                                                                          SSDEEP:12:8msaa0YXyh9MsdpF4CMKJgH8pp2zffUAjA+2hpFbdpM8pV0bdpM8pd7BmV:8ms+dKKaH8pyUUAlld+8pVgd+8pd7Bm
                                                                          MD5:03937AA05C8B1D645B513D92521FD781
                                                                          SHA1:2029010703C0562F02009C82609227435F0D6595
                                                                          SHA-256:39E83BE514848BDE56B1A127166736D756735D7E1B55667169F3CE2D94017D9E
                                                                          SHA-512:83A9F20FA55C675D9ED6DB51C5DC7C562209CB9F556215689F06BA0A8721247AFC4B00351596B9BE46219E892836FEF1B86B052B04818149A2C4DE667DBBF43F
                                                                          Malicious:false
                                                                          Preview:L..................F.... ....d..g....J..g....N..b..X............................P.O. .:i.....+00.../C:\.....................1.....0Z....PROGRA~1..t......O.I0Z......B...............J......g..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....j.1.....0Z....BEYOND~1..R......0Z..0Z...............................B.e.y.o.n.d. .C.o.m.p.a.r.e. .5.....f.2.X...)Zu. .BCompare.exe..J......0Z..0Z......z.........................B.C.o.m.p.a.r.e...e.x.e.......]...............-.......\..............!.....C:\Program Files\Beyond Compare 5\BCompare.exe..4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.e.y.o.n.d. .C.o.m.p.a.r.e. .5.\.B.C.o.m.p.a.r.e...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.e.y.o.n.d. .C.o.m.p.a.r.e. .5.`.......X.......932923...........hT..CrF.f4... .U........,.......hT..CrF.f4... .U........,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\checkupdates[1].htm

                                                                          Download File
                                                                          Process:C:\Program Files\Beyond Compare 5\BCompare.exe
                                                                          File Type:XML 1.0 document, ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):182
                                                                          Entropy (8bit):5.060514629663243
                                                                          Encrypted:false
                                                                          SSDEEP:3:vFWWMNHU8LdgCf6vJHBJL0HHcSLKBRSB2KoEntRLREm1MC3FJEsxHQhL81hKb:TMVBd/6RHBFmjLKBPZURLimGOFXLA
                                                                          MD5:EABE5BE58275458CA402B7941F460F21
                                                                          SHA1:D3CB520281428B0FFAAE2EDA6AA4D1692F492B27
                                                                          SHA-256:C15F17E38709DF5E794E9E2E340F6FBD3268616CA0E036A18AEF54E5FA2F9B41
                                                                          SHA-512:FB56DC21A9BA706F478D6479C74E8F43CE5F4B777221DC4D03491CA27C3709CA8FF77F2781CC77D9AF2725FDE93FADF1BF72B4D5EA4C433A406B6753E898E0D3
                                                                          Malicious:false
                                                                          Preview:<?xml version="1.0" encoding="UTF-8"?><Update available="" download="https://www.scootersoftware.com/BCompare-5.0.5.30614.exe" latestbuild="30614" latestversion="5.0.5 build 30614"/>

                                                                          C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\BCompare-5.0.5.30614.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3696328
                                                                          Entropy (8bit):6.520608646636147
                                                                          Encrypted:false
                                                                          SSDEEP:49152:cjk49uHREeaiWBwS+7XLr2KE0WmF484FdJlmZg8psz1OfMkQTQsm9bj7KRg3337g:Mk49uxdPWiWmF4lkQTQiRg3337oMe
                                                                          MD5:A25B91D7630476A0FD62AF6290460D8C
                                                                          SHA1:2ECC25942594862971A53CE1D810B1DE8DC0BFC8
                                                                          SHA-256:623F17639D449D0D08AD1EA2634E64CE3F5E4852A6737B262019C5F3AA81A7E3
                                                                          SHA-512:3A1354A8D80B0808C337BE2008AA72A212248CF699543BA953191B304AEAE75B24966736BABBBB059BD70D97F526F53A7A4B4BC667764C123DE4FF7F31C1B76E
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....h.g.................2+..........K+......P+...@...........................8......%9...@......@....................,.n....p,..<....0.,.............8..Z....,...............................,.....................Dz,.,.....,.(....................text.....+.......+................. ..`.itext..,.... +..0....+............. ..`.data........P+......6+.............@....bss.....|....+..........................idata...<...p,..>....+.............@....didata.(.....,.......,.............@....edata..n.....,......$,.............@..@.tls....X.....,..........................rdata..].....,......&,.............@..@.reloc........,......(,.............@..B.rsrc...,.....0.......0.............@..@..............4.......3.............@..@................

                                                                          C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\BCShellEx.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1262808
                                                                          Entropy (8bit):6.632499883121238
                                                                          Encrypted:false
                                                                          SSDEEP:24576:sN5UJV9oW9ZA1mYB8IVt2cRsZWteJRinG7Q:01VtvsZhY
                                                                          MD5:13681B409B6DF2DED5571078B2D57D83
                                                                          SHA1:DD428A73A748D83482C4D2426FE95D6BD7920DDA
                                                                          SHA-256:85B973702360FF9C1B13EE84F1E4986CC7BA2B11573B7E9662F4F9A3157F54B2
                                                                          SHA-512:86792D3188B2394A714435C210644EBAFD728344A8B0B25B80141CCDDBB4DCF7ABF643D1D7F84ED53704F1F7621C7A403CA8FCFBAAA9398074EC47F697B36AFB
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....Xg...........!.........&....................@.................................mp....@.............................3.......l........................Z... ..@p...................................................................................text............................... ..`.itext..(........................... ..`.data...p...........................@....bss.....k...`...........................idata..l............R..............@....didata..............f..............@....edata..3............n..............@..@.rdata..E............p..............@..@.reloc..@p... ...r...r..............@..B.rsrc...............................@..@....................................@..@........................................................

                                                                          C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\Is64Bit.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):30720
                                                                          Entropy (8bit):5.58706013247082
                                                                          Encrypted:false
                                                                          SSDEEP:384:kH7bjoo65dP24fCgYdNeAyG6bhXdJPfzruqdCUSPSd/qsTx+HpZ4J5:kPjY52ZPpJ61tJjVASwdJ
                                                                          MD5:F2198A02802B6B8A27CC63A5DBC573EC
                                                                          SHA1:367D9EDA31DF54EEC921A5770BE4A139520688F8
                                                                          SHA-256:07693A3352D0159DD4C172F400F4DBF1DAF02819E7E748F2EE3DB027D8FAB263
                                                                          SHA-512:F73563A6907BF98BDE272E72DFF2CF2D872445EFE65C02911D5E932567FE09896BEBCAE6B1C5E38C6AA11735249FB9D53832A75856A8B7B2179C9C258DF5C9DE
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 10%
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....6.W.................N...&.......`.......p....@.....................................................................F.......................................(....................................................................................text....J.......L.................. ..`.itext.......`.......P.............. ..`.data...,....p.......R..............@....bss.....+...............................idata...............\..............@....edata..F............b..............@..@.rdata..E............d..............@..@.reloc..(............f..............@..B.rsrc................v..............@..@.....................x..............@..@................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\is-FTTBU.tmp\_isetup\_setup64.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):6144
                                                                          Entropy (8bit):4.720366600008286
                                                                          Encrypted:false
                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\Scooter Software\Beyond Compare 5\BCState.xml

                                                                          Download File
                                                                          Process:C:\Program Files\Beyond Compare 5\BCompare.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):211
                                                                          Entropy (8bit):5.121385145983276
                                                                          Encrypted:false
                                                                          SSDEEP:6:TMVBd/lLFcIqbXF2YNGXj8XjJbWptqSBBREh:TMHdNLFcIqbXF2ItAtxih
                                                                          MD5:05135B0C6983FCD7AA097B35C50402C7
                                                                          SHA1:5AD0875045D999E69046697F204A08CCAAD55836
                                                                          SHA-256:E264B355F169F868D455142B89E187F7EA7B78681BB74E5DA3705C2B5F83CA75
                                                                          SHA-512:3E14E94A4135E07E0761EDA53746CDF31DF6D3C56079A397A25DC2288E32FA7997A47F3CACDFA36734FA9E03D43D26108739D3CBCB839D1E616F4779508753FC
                                                                          Malicious:false
                                                                          Preview:<?xml version="1.0" encoding="UTF-8"?>.. Produced by Beyond Compare 5 from Scooter Software -->..<BCState Version="2" MinVersion="2">...<TBcState>....<FirstStartup Value="False"/>...</TBcState>..</BCState>..

                                                                          C:\Users\user\AppData\Roaming\Scooter Software\Beyond Compare 5\BCState.xml.bak (copy)

                                                                          Download File
                                                                          Process:C:\Program Files\Beyond Compare 5\BCompare.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):211
                                                                          Entropy (8bit):5.121385145983276
                                                                          Encrypted:false
                                                                          SSDEEP:6:TMVBd/lLFcIqbXF2YNGXj8XjJbWptqSBBREh:TMHdNLFcIqbXF2ItAtxih
                                                                          MD5:05135B0C6983FCD7AA097B35C50402C7
                                                                          SHA1:5AD0875045D999E69046697F204A08CCAAD55836
                                                                          SHA-256:E264B355F169F868D455142B89E187F7EA7B78681BB74E5DA3705C2B5F83CA75
                                                                          SHA-512:3E14E94A4135E07E0761EDA53746CDF31DF6D3C56079A397A25DC2288E32FA7997A47F3CACDFA36734FA9E03D43D26108739D3CBCB839D1E616F4779508753FC
                                                                          Malicious:false
                                                                          Preview:<?xml version="1.0" encoding="UTF-8"?>.. Produced by Beyond Compare 5 from Scooter Software -->..<BCState Version="2" MinVersion="2">...<TBcState>....<FirstStartup Value="False"/>...</TBcState>..</BCState>..

                                                                          C:\Users\user\AppData\Roaming\Scooter Software\Beyond Compare 5\BCState.xml.tmp

                                                                          Download File
                                                                          Process:C:\Program Files\Beyond Compare 5\BCompare.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):336
                                                                          Entropy (8bit):5.310066730520885
                                                                          Encrypted:false
                                                                          SSDEEP:6:TMVBd/lLFcIqbXF2YNGXj8XjJbWptqSxWa4zVAYhFtuAs9CBmGWa4GBREh:TMHdNLFcIqbXF2ItAtnWaOhFgKmGWaFi
                                                                          MD5:193E0D8B63C14C7070F32E796361C000
                                                                          SHA1:8EAB04B67DEE6BB8EFE3EF3BB896E05466D9BF42
                                                                          SHA-256:343DE1F33F748CAEB5567D4A942BB80FA655B21EC27BBB5CBFEDC2F10B307A1C
                                                                          SHA-512:0268C3CBE2E715EE3A809E35965329EF09F746142BE649DCE5CFCCFCEAF1827D4D2C1173ED60DB7C98036E0BDB29A96ACFCA4FF3F7E26BD265E3FE9879C31C00
                                                                          Malicious:false
                                                                          Preview:<?xml version="1.0" encoding="UTF-8"?>.. Produced by Beyond Compare 5 from Scooter Software -->..<BCState Version="2" MinVersion="2">...<TBcState>....<FirstStartup Value="False"/>...</TBcState>...<TCheckForUpdatesState>....<Build Value="30614"/>....<LastChecked Value="2025-01-15 19:56:53"/>...</TCheckForUpdatesState>..</BCState>..

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.987555348242036
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 98.04%
                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                          • InstallShield setup (43055/19) 0.42%
                                                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                          File name:BCompare-5.0.5.30614.exe
                                                                          File size:28'399'696 bytes
                                                                          MD5:5f5d610da3aa05fd1097ef63223b1aad
                                                                          SHA1:200b7da822bd87d7e1e1f372acb71ae26c5b2e2b
                                                                          SHA256:6512d423dd07510507e77c68d1805f6b8d10fd7d5e88e4630fbce0922c1f8bee
                                                                          SHA512:f5f77a0a71566030de3fc917e0d391d6d04ab3328ace5074929a602a180e39254cde8763b2785f4c8eb93e11da14af08c7053005e01da45a872fb8c877817997
                                                                          SSDEEP:393216:4yWtGeE3rEOJMGSWeUZ7NOdpUvzKgaKT28/KNU4CcMt2oHPb1BitT7UZNiV:vWtHEbEOJ2K0Qz7aKTb/B3cMIMPbOtH
                                                                          TLSH:F85733237687D03EE25E0A3A16A59311567BBD6214028C0297F42CFFFE295912D3EB77
                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                          File Icon

                                                                          Icon Hash:0f1b3139f9fa7e32

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4a73bc
                                                                          Entrypoint Section:.itext
                                                                          Digitally signed:true
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x678068C9 [Fri Jan 10 00:24:41 2025 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:6
                                                                          OS Version Minor:1
                                                                          File Version Major:6
                                                                          File Version Minor:1
                                                                          Subsystem Version Major:6
                                                                          Subsystem Version Minor:1
                                                                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                          Authenticode Signature

                                                                          Signature Valid:true
                                                                          Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                          Signature Validation Error:The operation completed successfully
                                                                          Error Number:0
                                                                          Not Before, Not After
                                                                          • 16/12/2022 00:00:00 15/12/2025 23:59:59
                                                                          Subject Chain
                                                                          • CN=Scooter Software Inc, O=Scooter Software Inc, S=Wisconsin, C=US
                                                                          Version:3
                                                                          Thumbprint MD5:2D479B0ECA295DD2AB1F2EAD190C8AA1
                                                                          Thumbprint SHA-1:907287BBBCF274C9F9FB22BA6DB7AE2190556448
                                                                          Thumbprint SHA-256:4F5113BD361C72877E97990E73EF263D543DE5207764F35ADFD16944AD6C3085
                                                                          Serial:00D6869EE070F25887753041821F9DC48D

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          add esp, FFFFFFA4h
                                                                          push ebx
                                                                          push esi
                                                                          push edi
                                                                          xor eax, eax
                                                                          mov dword ptr [ebp-3Ch], eax
                                                                          mov dword ptr [ebp-40h], eax
                                                                          mov dword ptr [ebp-5Ch], eax
                                                                          mov dword ptr [ebp-30h], eax
                                                                          mov dword ptr [ebp-38h], eax
                                                                          mov dword ptr [ebp-34h], eax
                                                                          mov dword ptr [ebp-2Ch], eax
                                                                          mov dword ptr [ebp-28h], eax
                                                                          mov dword ptr [ebp-14h], eax
                                                                          mov eax, 004A24ECh
                                                                          call 00007F18413F0C85h
                                                                          xor eax, eax
                                                                          push ebp
                                                                          push 004A7AC1h
                                                                          push dword ptr fs:[eax]
                                                                          mov dword ptr fs:[eax], esp
                                                                          xor edx, edx
                                                                          push ebp
                                                                          push 004A7A7Bh
                                                                          push dword ptr fs:[edx]
                                                                          mov dword ptr fs:[edx], esp
                                                                          mov eax, dword ptr [004AF634h]
                                                                          call 00007F184148260Bh
                                                                          call 00007F184148215Eh
                                                                          lea edx, dword ptr [ebp-14h]
                                                                          xor eax, eax
                                                                          call 00007F184147CE38h
                                                                          mov edx, dword ptr [ebp-14h]
                                                                          mov eax, 004B31F4h
                                                                          call 00007F18413EAD33h
                                                                          push 00000002h
                                                                          push 00000000h
                                                                          push 00000001h
                                                                          mov ecx, dword ptr [004B31F4h]
                                                                          mov dl, 01h
                                                                          mov eax, dword ptr [0049CD14h]
                                                                          call 00007F184147E163h
                                                                          mov dword ptr [004B31F8h], eax
                                                                          xor edx, edx
                                                                          push ebp
                                                                          push 004A7A27h
                                                                          push dword ptr fs:[edx]
                                                                          mov dword ptr fs:[edx], esp
                                                                          call 00007F1841482693h
                                                                          mov dword ptr [004B3200h], eax
                                                                          mov eax, dword ptr [004B3200h]
                                                                          cmp dword ptr [eax+0Ch], 01h
                                                                          jne 00007F184148837Ah
                                                                          mov eax, dword ptr [004B3200h]
                                                                          mov edx, 00000028h
                                                                          call 00007F184147EA58h
                                                                          mov edx, dword ptr [004B3200h]

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb60000x71.edata
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb40000xfec.idata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x5b644.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x1b0fda00x5ab0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb90000x10f9c.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xb80000x18.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0xb42d40x25c.idata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb50000x1a4.didata
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000xa4cbc0xa4e00539073e39a3bb7a48ff16ed7cf27d44eFalse0.3625586381728582data6.385930747601597IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .itext0xa60000x1b640x1c003ab32763d7038f577509dd1792d11dc8False0.546875data6.08895021897067IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .data0xa80000x38380x3a005524c7e1b3c54cc17f2b2d4583110a33False0.35338092672413796data4.967466794261466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .bss0xac0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .idata0xb40000xfec0x1000a4039eb08b593960fc4a472a3ed1e37fFalse0.379638671875data4.969171780150864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .didata0xb50000x1a40x200f1966c30c3ced225b12d9d6ac9e6960eFalse0.34765625data2.7482544140152063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .edata0xb60000x710x200be8bb06273c97d92be84f49576374aa6False0.1796875data1.327973850768573IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .tls0xb70000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rdata0xb80000x5d0x200939e66e3499d4a00b87036c15840e23aFalse0.189453125data1.390944454273433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xb90000x10f9c0x11000483d9fc46463597fcb755372a59e66b4False0.5787281709558824data6.708672035511969IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xca0000x5b6440x5b8001d2d58749e86b957d2824f14ee16c2bcFalse0.3158992913251366data4.961818414866529IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0xca5e80x2e9Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.46308724832214765
                                                                          RT_ICON0xca8d40x129Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.5656565656565656
                                                                          RT_ICON0xcaa000x8a9Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.39377537212449254
                                                                          RT_ICON0xcb2ac0x569Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.4483754512635379
                                                                          RT_ICON0xcb8180x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.269676302630411
                                                                          RT_ICON0x10d8400x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.42307464805394535
                                                                          RT_ICON0x11e0680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5884854771784233
                                                                          RT_ICON0x1206100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4469981238273921
                                                                          RT_ICON0x1216b80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.7233606557377049
                                                                          RT_ICON0x1220400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8882978723404256
                                                                          RT_STRING0x1224a80x3f8data0.3198818897637795
                                                                          RT_STRING0x1228a00x2dcdata0.36475409836065575
                                                                          RT_STRING0x122b7c0x430data0.40578358208955223
                                                                          RT_STRING0x122fac0x44cdata0.38636363636363635
                                                                          RT_STRING0x1233f80x2d4data0.39226519337016574
                                                                          RT_STRING0x1236cc0xb8data0.6467391304347826
                                                                          RT_STRING0x1237840x9cdata0.6410256410256411
                                                                          RT_STRING0x1238200x374data0.4230769230769231
                                                                          RT_STRING0x123b940x398data0.3358695652173913
                                                                          RT_STRING0x123f2c0x368data0.3795871559633027
                                                                          RT_STRING0x1242940x2a4data0.4275147928994083
                                                                          RT_RCDATA0x1245380x10data1.5
                                                                          RT_RCDATA0x1245480x310data0.6173469387755102
                                                                          RT_RCDATA0x1248580x2cdata1.2045454545454546
                                                                          RT_GROUP_ICON0x1248840x92dataEnglishUnited States0.6917808219178082
                                                                          RT_VERSION0x1249180x584dataEnglishUnited States0.29107648725212465
                                                                          RT_MANIFEST0x124e9c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                          Imports

                                                                          DLLImport
                                                                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                          comctl32.dllInitCommonControls
                                                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                          Exports

                                                                          NameOrdinalAddress
                                                                          __dbk_fcall_wrapper20x40fc10
                                                                          dbkFCallWrapperAddr10x4af63c

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 16, 2025 01:56:53.834438086 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:53.834464073 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:53.834527969 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:53.851569891 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:53.851587057 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:54.525302887 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:54.525377035 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:54.572117090 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:54.572146893 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:54.572577000 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:54.572628021 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:54.574548006 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:54.619328976 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:54.707433939 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:54.707490921 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:54.707508087 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:54.707551956 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:54.707638979 CET4434974072.32.90.250192.168.2.4
                                                                          Jan 16, 2025 01:56:54.707673073 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:54.713610888 CET49740443192.168.2.472.32.90.250
                                                                          Jan 16, 2025 01:56:54.713624954 CET4434974072.32.90.250192.168.2.4

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 16, 2025 01:56:53.777033091 CET4955653192.168.2.41.1.1.1
                                                                          Jan 16, 2025 01:56:53.810544968 CET53495561.1.1.1192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Jan 16, 2025 01:56:53.777033091 CET192.168.2.41.1.1.10x653eStandard query (0)www.scootersoftware.comA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Jan 16, 2025 01:56:53.810544968 CET1.1.1.1192.168.2.40x653eNo error (0)www.scootersoftware.comscootersoftware.comCNAME (Canonical name)IN (0x0001)false
                                                                          Jan 16, 2025 01:56:53.810544968 CET1.1.1.1192.168.2.40x653eNo error (0)scootersoftware.com72.32.90.250A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • www.scootersoftware.com

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.44974072.32.90.2504437300C:\Program Files\Beyond Compare 5\BCompare.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2025-01-16 00:56:54 UTC298OUTGET /checkupdates.php?product=bc5&minor=0&maint=5&auth=30.15&build=30614&edition=prodebug&cpuarch=x86_64&platform=win32&lang=silent HTTP/1.1
                                                                          Accept: */*
                                                                          User-Agent: BeyondCompare/5.0 (Windows NT 10.0; Win64; x64)
                                                                          Host: www.scootersoftware.com
                                                                          Connection: Keep-Alive
                                                                          Cache-Control: no-cache
                                                                          2025-01-16 00:56:54 UTC285INHTTP/1.1 200 OK
                                                                          Date: Thu, 16 Jan 2025 00:56:54 GMT
                                                                          Server: Apache
                                                                          X-Content-Type-Options: nosniff
                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                          X-Frame-Options: SAMEORIGIN
                                                                          Connection: close
                                                                          Transfer-Encoding: chunked
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          2025-01-16 00:56:54 UTC193INData Raw: 62 36 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 55 70 64 61 74 65 20 61 76 61 69 6c 61 62 6c 65 3d 22 22 20 64 6f 77 6e 6c 6f 61 64 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 63 6f 6f 74 65 72 73 6f 66 74 77 61 72 65 2e 63 6f 6d 2f 42 43 6f 6d 70 61 72 65 2d 35 2e 30 2e 35 2e 33 30 36 31 34 2e 65 78 65 22 20 6c 61 74 65 73 74 62 75 69 6c 64 3d 22 33 30 36 31 34 22 20 6c 61 74 65 73 74 76 65 72 73 69 6f 6e 3d 22 35 2e 30 2e 35 20 62 75 69 6c 64 20 33 30 36 31 34 22 2f 3e 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: b6<?xml version="1.0" encoding="UTF-8"?><Update available="" download="https://www.scootersoftware.com/BCompare-5.0.5.30614.exe" latestbuild="30614" latestversion="5.0.5 build 30614"/>0


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:19:56:04
                                                                          Start date:15/01/2025
                                                                          Path:C:\Users\user\Desktop\BCompare-5.0.5.30614.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\BCompare-5.0.5.30614.exe"
                                                                          Imagebase:0x420000
                                                                          File size:28'399'696 bytes
                                                                          MD5 hash:5F5D610DA3AA05FD1097EF63223B1AAD
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:19:56:04
                                                                          Start date:15/01/2025
                                                                          Path:C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-EJNAE.tmp\BCompare-5.0.5.30614.tmp" /SL5="$20486,27293175,1148416,C:\Users\user\Desktop\BCompare-5.0.5.30614.exe"
                                                                          Imagebase:0x5d0000
                                                                          File size:3'696'328 bytes
                                                                          MD5 hash:A25B91D7630476A0FD62AF6290460D8C
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Antivirus matches:
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:19:56:46
                                                                          Start date:15/01/2025
                                                                          Path:C:\Program Files\Beyond Compare 5\BCompare.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Beyond Compare 5\BCompare.exe"
                                                                          Imagebase:0x9c0000
                                                                          File size:49'653'848 bytes
                                                                          MD5 hash:FCCFCBF8770ADB5B202955DDC140FA2D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:0.1%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:40
                                                                            Total number of Limit Nodes:6
                                                                            execution_graph 95028 7ffe115a5d78 95035 7ffe115a8680 95028->95035 95034 7ffe115a5d85 95044 7ffe115a87bc 95035->95044 95038 7ffe115ac304 95057 7ffe115ac9b8 GetLastError 95038->95057 95041 7ffe115a8694 95090 7ffe115a8750 95041->95090 95043 7ffe115a869f 95043->95034 95045 7ffe115a87db GetLastError 95044->95045 95046 7ffe115a5d81 95044->95046 95056 7ffe115aaa5c 6 API calls __vcrt_FlsAlloc 95045->95056 95046->95034 95046->95038 95058 7ffe115ac9e1 95057->95058 95059 7ffe115ac9dc 95057->95059 95063 7ffe115aca2a 95058->95063 95076 7ffe115ad1b0 95058->95076 95083 7ffe115ad478 6 API calls __vcrt_uninitialize_ptd 95059->95083 95065 7ffe115aca39 SetLastError 95063->95065 95066 7ffe115aca2f SetLastError 95063->95066 95064 7ffe115aca00 95084 7ffe115acd54 15 API calls 2 library calls 95064->95084 95068 7ffe115a5d8e 95065->95068 95066->95068 95068->95034 95068->95041 95070 7ffe115aca17 95070->95064 95072 7ffe115aca1e 95070->95072 95071 7ffe115aca07 95071->95066 95086 7ffe115ac688 15 API calls _set_errno_from_matherr 95072->95086 95074 7ffe115aca23 95087 7ffe115acd54 15 API calls 2 library calls 95074->95087 95081 7ffe115ad1c1 _set_errno_from_matherr 95076->95081 95077 7ffe115ad212 95089 7ffe115acb7c 15 API calls _set_errno_from_matherr 95077->95089 95078 7ffe115ad1f6 HeapAlloc 95079 7ffe115ac9f8 95078->95079 95078->95081 95079->95064 95085 7ffe115ad4d0 6 API calls __vcrt_uninitialize_ptd 95079->95085 95081->95077 95081->95078 95088 7ffe115ab528 EnterCriticalSection LeaveCriticalSection _set_errno_from_matherr 95081->95088 95083->95058 95084->95071 95085->95070 95086->95074 95087->95063 95088->95081 95089->95079 95091 7ffe115a8764 95090->95091 95095 7ffe115a877e 95090->95095 95092 7ffe115a876e 95091->95092 95096 7ffe115aaa5c 6 API calls __vcrt_FlsAlloc 95091->95096 95097 7ffe115aaaa4 6 API calls __vcrt_FlsAlloc 95092->95097 95095->95043 95097->95095

                                                                            Executed Functions

                                                                            Function 00007FFE115A62E0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 7ffe115a62e0-7ffe115a62e6 1 7ffe115a62e8-7ffe115a62eb 0->1 2 7ffe115a6321-7ffe115a632b 0->2 4 7ffe115a62ed-7ffe115a62f0 1->4 5 7ffe115a6315-7ffe115a6354 call 7ffe115a5e5c 1->5 3 7ffe115a6448-7ffe115a645d 2->3 6 7ffe115a646c-7ffe115a6486 call 7ffe115a5cf0 3->6 7 7ffe115a645f 3->7 8 7ffe115a6308 __scrt_dllmain_crt_thread_attach 4->8 9 7ffe115a62f2-7ffe115a62f5 4->9 23 7ffe115a635a-7ffe115a636f call 7ffe115a5cf0 5->23 24 7ffe115a6422 5->24 21 7ffe115a6488-7ffe115a64bd call 7ffe115a5e18 call 7ffe115a6ac0 call 7ffe115a6b34 call 7ffe115a5fcc call 7ffe115a5ff0 call 7ffe115a5e48 6->21 22 7ffe115a64bf-7ffe115a64f0 call 7ffe115a68b8 6->22 13 7ffe115a6461-7ffe115a646b 7->13 15 7ffe115a630d-7ffe115a6314 8->15 11 7ffe115a62f7-7ffe115a6300 9->11 12 7ffe115a6301-7ffe115a6306 call 7ffe115a5da0 9->12 12->15 21->13 32 7ffe115a6501-7ffe115a6507 22->32 33 7ffe115a64f2-7ffe115a64f8 22->33 35 7ffe115a643a-7ffe115a6447 call 7ffe115a68b8 23->35 36 7ffe115a6375-7ffe115a6386 call 7ffe115a5d60 23->36 28 7ffe115a6424-7ffe115a6439 24->28 39 7ffe115a6509-7ffe115a6513 32->39 40 7ffe115a654e-7ffe115a6564 call 7ffe115a689c 32->40 33->32 38 7ffe115a64fa-7ffe115a64fc 33->38 35->3 51 7ffe115a63d7-7ffe115a63e1 call 7ffe115a5fcc 36->51 52 7ffe115a6388-7ffe115a63ac call 7ffe115a6af8 call 7ffe115a6ab0 call 7ffe115a6ad4 call 7ffe115ac3c4 36->52 45 7ffe115a65ef-7ffe115a65fc 38->45 47 7ffe115a651f-7ffe115a652d 39->47 48 7ffe115a6515-7ffe115a651d 39->48 57 7ffe115a6566-7ffe115a6568 40->57 58 7ffe115a659c-7ffe115a659e 40->58 53 7ffe115a6533-7ffe115a653b call 7ffe115a62e0 47->53 69 7ffe115a65e5-7ffe115a65ed 47->69 48->53 51->24 70 7ffe115a63e3-7ffe115a63ef call 7ffe115a6af0 51->70 52->51 100 7ffe115a63ae-7ffe115a63b5 __scrt_dllmain_after_initialize_c 52->100 63 7ffe115a6540-7ffe115a6548 53->63 57->58 64 7ffe115a656a-7ffe115a658c call 7ffe115a689c call 7ffe115a6448 57->64 66 7ffe115a65a0-7ffe115a65a3 58->66 67 7ffe115a65a5-7ffe115a65ba call 7ffe115a62e0 58->67 63->40 63->69 64->58 95 7ffe115a658e-7ffe115a6593 64->95 66->67 66->69 67->69 81 7ffe115a65bc-7ffe115a65c6 67->81 69->45 89 7ffe115a63f1-7ffe115a63fb call 7ffe115a5f34 70->89 90 7ffe115a6415-7ffe115a6420 70->90 86 7ffe115a65c8-7ffe115a65cf 81->86 87 7ffe115a65d1-7ffe115a65e1 81->87 86->69 87->69 89->90 99 7ffe115a63fd-7ffe115a640b 89->99 90->28 95->58 99->90 100->51 101 7ffe115a63b7-7ffe115a63d4 call 7ffe115ac34c 100->101 101->51
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                            • String ID:
                                                                            • API String ID: 190073905-0
                                                                            • Opcode ID: 69b3ff748799d57f287455e60b622d94aee3ee0ff7e0f4ccf176a82911c563cb
                                                                            • Instruction ID: b3949cde64e18de85f54315c7f44e2667ee7d520670f44cee6c49ec88ede01ed
                                                                            • Opcode Fuzzy Hash: 69b3ff748799d57f287455e60b622d94aee3ee0ff7e0f4ccf176a82911c563cb
                                                                            • Instruction Fuzzy Hash: C581F261E9CE4386FB609B67B4402B926DDAFC57A4F8440B5DA4D437B6DF3CE8068720
                                                                            Function 00007FFE115AC9B8 Relevance: 3.8, APIs: 3, Instructions: 46COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1452528299-0
                                                                            • Opcode ID: 9ae7e976e38763bf9d4fe50960175f84ee3ac78d78ab755b42ff592e95c16e91
                                                                            • Instruction ID: 73e8d535d907aed7bad4b050ba6a4820af264bc2343499f4f9de574afd73611b
                                                                            • Opcode Fuzzy Hash: 9ae7e976e38763bf9d4fe50960175f84ee3ac78d78ab755b42ff592e95c16e91
                                                                            • Instruction Fuzzy Hash: 8C118B20A89E6242FB58A763B525179559DAF487F0F0441B8E90F077F6EE6CF8414300
                                                                            Function 00007FFE115AD1B0 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: AllocHeap
                                                                            • String ID:
                                                                            • API String ID: 4292702814-0
                                                                            • Opcode ID: f605227c1f6f6edded326221fe33fb71d76b2546cb8ef93c5c9d2a5d3333324b
                                                                            • Instruction ID: 61da7c29969e14d7a91eed4cd6308914732ddbba665e5976b0fbde97953b8503
                                                                            • Opcode Fuzzy Hash: f605227c1f6f6edded326221fe33fb71d76b2546cb8ef93c5c9d2a5d3333324b
                                                                            • Instruction Fuzzy Hash: 34F06D54B8AA0742FF9867A3A4413BD529D6F48BB0F4C44B4ED0E862F1EE1CE5818210

                                                                            Non-executed Functions

                                                                            Function 663EA79C Relevance: 98.6, APIs: 50, Strings: 5, Instructions: 2311COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$String$memset$Free$malloc
                                                                            • String ID: XS5f$dS5f$pS5f$tR5f$|S5f
                                                                            • API String ID: 1689579096-1740760260
                                                                            • Opcode ID: f2dad1a168c2b0afd36def8c2f11e1410e9520cc624d769b4dd3bcc99220a256
                                                                            • Instruction ID: cb27835842fc7a3ebef54081c8dc37c649724a2c504c807c92211d58bfe52de4
                                                                            • Opcode Fuzzy Hash: f2dad1a168c2b0afd36def8c2f11e1410e9520cc624d769b4dd3bcc99220a256
                                                                            • Instruction Fuzzy Hash: DC133D37609B9487DA14DF1AE49426EBBA0F7CAF81F445522DBAE47B24CF39C449C720
                                                                            Function 663D8278 Relevance: 89.7, APIs: 70, Instructions: 2155COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f275a6c42fe629f4e160b0ae9858b62abc6be21eca6635e3cd9d26a8a8af3dbb
                                                                            • Instruction ID: df6eb259c8a1040d6bbee84175f651798f2030fde070f30aedde5780387d74a0
                                                                            • Opcode Fuzzy Hash: f275a6c42fe629f4e160b0ae9858b62abc6be21eca6635e3cd9d26a8a8af3dbb
                                                                            • Instruction Fuzzy Hash: E4030977609B8486CB14DF2AE4A465EBBA5F3CAF85F105511DB9E43B28CF39C499CB00
                                                                            Function 66372564 Relevance: 60.9, APIs: 38, Strings: 2, Instructions: 935COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: [SYS]$[UNKNOWN]
                                                                            • API String ID: 0-1186932407
                                                                            • Opcode ID: 19cd10464823b99631bd04b3dea9621add22e4b4a0f95a63faa634deac09fc1f
                                                                            • Instruction ID: 655c0a82fe883e2fed6c7474968c37a6f01ea7d46075dfdf80370a6d07b48da3
                                                                            • Opcode Fuzzy Hash: 19cd10464823b99631bd04b3dea9621add22e4b4a0f95a63faa634deac09fc1f
                                                                            • Instruction Fuzzy Hash: 5882BE727156908BEB30DF25D99039DBBA2F385BC8F405126EA8A47B58CF3DC949CB44
                                                                            Function 00007FFE1157F8F0 Relevance: 60.7, APIs: 28, Strings: 6, Instructions: 1233fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$File$CloseDeleteDirectoryErrorHandleLastRemove$AttributesConcurrency::cancel_current_taskCreateProcessToken$AdjustControlCurrentDeviceLookupOpenPrivilegePrivilegesSecurityValue
                                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$SeRestorePrivilege$SeSecurityPrivilege$UNC\$\??\
                                                                            • API String ID: 528925956-600236706
                                                                            • Opcode ID: 0395ea66a62c51f88b0b94d40c05932dc017218cb84e70d488ec6482f8df2089
                                                                            • Instruction ID: 5eb9ca3f0518b1e76146a0250b6ae62c92232db8e0673c944028d14fdf58be25
                                                                            • Opcode Fuzzy Hash: 0395ea66a62c51f88b0b94d40c05932dc017218cb84e70d488ec6482f8df2089
                                                                            • Instruction Fuzzy Hash: 97B2CD22B18F8285EB10DB66E4453AD23A9FB457B8F504276DA6D47AF9DF7CE484C300
                                                                            Function 6636C0FC Relevance: 56.5, APIs: 24, Strings: 13, Instructions: 968COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memmove$freememcmp
                                                                            • String ID: <?xml version$CFName$Data$Name$array$blkx$data$dict$koly$plist$resource-fork$string$xklb
                                                                            • API String ID: 2583526591-2997039220
                                                                            • Opcode ID: 8f4511dd31af388a732774187725d30742e8f9204de948bc59289d31ee52904c
                                                                            • Instruction ID: f58910a6766b86d1510cac0259924ff5e161cb7dfa9f96ff80572165c6fcf0c5
                                                                            • Opcode Fuzzy Hash: 8f4511dd31af388a732774187725d30742e8f9204de948bc59289d31ee52904c
                                                                            • Instruction Fuzzy Hash: A872C062715B8086DF20CF6BE85479AB7A5F789B88F404526DB8EC7B18EF79C148C740
                                                                            Function 6637672C Relevance: 47.0, APIs: 28, Strings: 3, Instructions: 460COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 10661 6637672c-66376772 call 6634f1dc 10664 66376e45-66376e58 10661->10664 10665 66376778-66376782 10661->10665 10666 66376e43 10665->10666 10667 66376788-6637678d 10665->10667 10666->10664 10667->10666 10668 66376793-66376798 10667->10668 10668->10666 10669 6637679e-663767a3 10668->10669 10669->10666 10670 663767a9-663767ae 10669->10670 10670->10666 10671 663767b4-663767bd 10670->10671 10672 663767c3-663767cb 10671->10672 10673 66376e3f-66376e41 10671->10673 10672->10673 10674 663767d1-663767fb call 6634a274 call 6634a4d4 10672->10674 10673->10664 10679 66376807-66376867 call 6634a400 10674->10679 10680 663767fd-66376802 10674->10680 10686 6637686d-66376892 10679->10686 10687 66376b18-66376b1f free 10679->10687 10681 66376b88-66376b97 call 6634a298 10680->10681 10681->10664 10689 66376b21-66376b28 free 10686->10689 10690 66376898-663768b1 10686->10690 10688 66376b79-66376b7b 10687->10688 10691 66376b7d-66376b87 free 10688->10691 10692 66376b9c-66376bae 10688->10692 10689->10688 10693 663768b7-663768bf 10690->10693 10694 66376b2a-66376b31 free 10690->10694 10691->10681 10695 66376bb4 10692->10695 10696 66376cf9-66376cfb 10692->10696 10697 663768c1-663768ca 10693->10697 10698 663768df-66376909 memmove call 6634a400 10693->10698 10694->10688 10702 66376bb7-66376bc9 10695->10702 10700 66376cfd-66376d02 10696->10700 10701 66376d58-66376d60 10696->10701 10703 663768cd call 663442cc 10697->10703 10712 66376b33-66376b43 free 10698->10712 10713 6637690f-6637692e call 6634a400 10698->10713 10706 66376d05-66376d28 10700->10706 10704 66376d64-66376d71 10701->10704 10707 66376c26-66376c32 10702->10707 10708 66376bcb-66376bcf 10702->10708 10709 663768d2-663768da 10703->10709 10710 66376d83-66376d85 10704->10710 10711 66376d73-66376d7e free * 2 10704->10711 10716 66376d32-66376d35 10706->10716 10717 66376d2a-66376d2e 10706->10717 10714 66376c67-66376c93 memmove 10707->10714 10715 66376c34-66376c3b 10707->10715 10718 66376bd5-66376be7 10708->10718 10719 66376caa-66376cb2 10708->10719 10709->10698 10710->10704 10723 66376d87-66376da1 free call 6634a298 10710->10723 10711->10710 10712->10688 10741 66376b45-66376b55 free 10713->10741 10742 66376934-6637693f 10713->10742 10729 66376c97-66376ca2 10714->10729 10725 66376c3d-66376c42 free 10715->10725 10726 66376c4a-66376c55 10715->10726 10727 66376d37-66376d4b memmove 10716->10727 10728 66376d4f-66376d56 10716->10728 10717->10716 10720 66376c1c-66376c24 10718->10720 10721 66376be9-66376bf0 10718->10721 10722 66376cb6-66376cc3 10719->10722 10720->10729 10731 66376bf2-66376bf7 free 10721->10731 10732 66376bff-66376c0a 10721->10732 10733 66376cd6-66376cd8 10722->10733 10734 66376cc5-66376cd1 free * 2 10722->10734 10723->10664 10725->10726 10726->10714 10737 66376c57 10726->10737 10727->10728 10728->10701 10728->10706 10729->10702 10730 66376ca8 10729->10730 10730->10696 10731->10732 10732->10720 10738 66376c0c 10732->10738 10733->10722 10739 66376cda-66376cf4 free call 6634a298 10733->10739 10734->10733 10743 66376c5a call 663442cc 10737->10743 10744 66376c0f call 663442cc 10738->10744 10739->10664 10741->10688 10746 66376b57-66376b67 free 10742->10746 10747 66376945-6637695c 10742->10747 10748 66376c5f-66376c63 10743->10748 10749 66376c14-66376c18 10744->10749 10746->10688 10751 66376aa6-66376abd 10747->10751 10752 66376962-66376966 10747->10752 10748->10714 10749->10720 10753 66376ae2-66376b12 free call 6634a400 10751->10753 10754 66376abf-66376ac1 10751->10754 10755 66376972-66376978 10752->10755 10756 66376968-6637696c 10752->10756 10753->10686 10753->10687 10754->10753 10757 66376ac3-66376adc 10754->10757 10759 66376da6-66376db9 free 10755->10759 10760 6637697e-66376986 10755->10760 10756->10755 10758 66376b69-66376b71 free 10756->10758 10757->10753 10772 66376df1-66376e04 free 10757->10772 10758->10688 10762 66376de3-66376dec free 10759->10762 10763 66376dbb 10759->10763 10764 66376995-6637699c 10760->10764 10765 66376988-66376993 10760->10765 10762->10681 10767 66376dbf-66376dcc 10763->10767 10769 663769a0-663769ae 10764->10769 10765->10769 10770 66376ddf-66376de1 10767->10770 10771 66376dce-66376dda free * 2 10767->10771 10773 663769b4-663769c0 10769->10773 10774 66376a5d-66376a74 10769->10774 10770->10762 10770->10767 10771->10770 10778 66376e06 10772->10778 10779 66376e2e-66376e3a free 10772->10779 10775 663769c5 call 663442cc 10773->10775 10776 66376a76 10774->10776 10777 66376a7a-66376a7e 10774->10777 10780 663769ca-663769d2 10775->10780 10776->10777 10781 66376a81-66376aa2 call 663630f8 call 66376608 10777->10781 10782 66376e0b-66376e18 10778->10782 10779->10681 10783 663769d4-663769e9 10780->10783 10784 663769eb 10780->10784 10781->10751 10786 66376e2a-66376e2c 10782->10786 10787 66376e1a-66376e25 free * 2 10782->10787 10788 663769ee-663769f6 10783->10788 10784->10788 10786->10779 10786->10782 10787->10786 10790 66376a01-66376a50 call 663630f8 call 66376584 10788->10790 10791 663769f8-663769fb 10788->10791 10790->10781 10798 66376a52-66376a5b 10790->10798 10791->10790 10798->10781
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memmove
                                                                            • String ID: F$L$V
                                                                            • API String ID: 2162964266-882967390
                                                                            • Opcode ID: c7da2d9cf191a45047235747796087edef79250d3da4c5599d2eef209b1ee02e
                                                                            • Instruction ID: b899af542be3c7528a79ddf293e4d03b2271cafc1beb3524e5b8f8aeb6c102ec
                                                                            • Opcode Fuzzy Hash: c7da2d9cf191a45047235747796087edef79250d3da4c5599d2eef209b1ee02e
                                                                            • Instruction Fuzzy Hash: 4102B062618A8096DB20EF27E86039DBF60F786B88F444129EBDA47B59DF39C558C704
                                                                            Function 663E2E44 Relevance: 39.6, APIs: 31, Instructions: 857COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$mallocmemmove
                                                                            • String ID:
                                                                            • API String ID: 1934541353-0
                                                                            • Opcode ID: 97dac2eae533b44625e6a670d196b1ebeec1a00f345874ae8a3c591460e4b750
                                                                            • Instruction ID: 68c9b19bb5d60b58e526835af7d2c54798649a3f520d15bb944066ffc02be160
                                                                            • Opcode Fuzzy Hash: 97dac2eae533b44625e6a670d196b1ebeec1a00f345874ae8a3c591460e4b750
                                                                            • Instruction Fuzzy Hash: 08728372609B9083EB14DF29E590A5EBBB4F3D6F84F105116DB9A43B28CF39C859CB10
                                                                            Function 66378714 Relevance: 37.9, APIs: 30, Instructions: 421COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8601643cc69908d41964bfb63ca0dbe82505360dc35cb49a8c04bad9b207a60d
                                                                            • Instruction ID: 4e2c200988a4eaa70b8f7115198c695059db3ad174d98bf7ce71abd6a3cf8c4a
                                                                            • Opcode Fuzzy Hash: 8601643cc69908d41964bfb63ca0dbe82505360dc35cb49a8c04bad9b207a60d
                                                                            • Instruction Fuzzy Hash: 3BF1856661868092CA60EF25E89065EFBB0F7D5B98F404122EBCE47B29CF3DC559CB44
                                                                            Function 6638E2C0 Relevance: 31.8, APIs: 14, Strings: 7, Instructions: 276COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: BAAD$CHKD$FILE$HOLE$INDX$RCRD$RSTR
                                                                            • API String ID: 1294909896-618987333
                                                                            • Opcode ID: 9ba1856302e144e08daf289f5c2cd9f9d492021643f396478d8ea42fe52034a6
                                                                            • Instruction ID: 7299a7677ea9102c4bcb1f50739941167074eea57d9cea9a2b8fe9a709f12c2b
                                                                            • Opcode Fuzzy Hash: 9ba1856302e144e08daf289f5c2cd9f9d492021643f396478d8ea42fe52034a6
                                                                            • Instruction Fuzzy Hash: E3A12B32A14BC083CA20DF25D8417EDB765F7D1784F40421ADBEA87A64EF7AC889C711
                                                                            Function 00007FFE11586B60 Relevance: 30.7, APIs: 20, Instructions: 733fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$NamePath$Concurrency::cancel_current_taskFileLongMoveShort
                                                                            • String ID:
                                                                            • API String ID: 1348968653-0
                                                                            • Opcode ID: b4187c428edfa8b8a8f1edb771f912f9e2f786ec487631c4d5d0fbc1bdc33e22
                                                                            • Instruction ID: a9976edcd60f4a9354e521b3e71aec5fb76a6062ffeb35310a7fdf34a96f1254
                                                                            • Opcode Fuzzy Hash: b4187c428edfa8b8a8f1edb771f912f9e2f786ec487631c4d5d0fbc1bdc33e22
                                                                            • Instruction Fuzzy Hash: A162A162B18E9285EB109B6BE4443AD63AAFB447B8F504671DA6D07BF9DF7CD091C300
                                                                            Function 6635AE90 Relevance: 28.2, APIs: 22, Instructions: 726COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 464cbd1c6c4b2194ef2abd16e4c1a03a1552bb23f05c0cc70581da542f8ed6c9
                                                                            • Instruction ID: d101b5b4059df2e9756f7489aa91800561ff875896ac750ffd2cc171f120b8b3
                                                                            • Opcode Fuzzy Hash: 464cbd1c6c4b2194ef2abd16e4c1a03a1552bb23f05c0cc70581da542f8ed6c9
                                                                            • Instruction Fuzzy Hash: CE523A76604B8086CB24DF2AE4A465EB7A1F7C9F95F115522DE9E47B28CF39C468CB00
                                                                            Function 00007FFE11584210 Relevance: 26.2, APIs: 10, Strings: 4, Instructions: 1688COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$BuffCharCloseHandle
                                                                            • String ID: ?$%s%s $G$__tmp_reference_source_
                                                                            • API String ID: 1171980479-895398381
                                                                            • Opcode ID: af0de86f071e7e5ad8638258e9f17cca800878dd911db27233084068e60fe63a
                                                                            • Instruction ID: 9920e3689bba2578090c017f283f5ba14d5d5641af91a813b9b3bc69025cc520
                                                                            • Opcode Fuzzy Hash: af0de86f071e7e5ad8638258e9f17cca800878dd911db27233084068e60fe63a
                                                                            • Instruction Fuzzy Hash: 03038362A18AC285EB20DB27F4443FA67A9FB817A8F444176DA9D076F5DF3CE485C700
                                                                            Function 663F03F0 Relevance: 26.1, APIs: 11, Strings: 6, Instructions: 629stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$strcmp$ExceptionThrow
                                                                            • String ID: ACL$AES$Crypto_$STM$[VER]\$v
                                                                            • API String ID: 3345478648-1094970601
                                                                            • Opcode ID: 6f81ead754a66260040be433633c57751319bea5c0e53a93c674e94964492a0d
                                                                            • Instruction ID: 0c299e2d838c4461e3b8b0b206ed9f98761e10c5487c98b14bc8f80af6adba01
                                                                            • Opcode Fuzzy Hash: 6f81ead754a66260040be433633c57751319bea5c0e53a93c674e94964492a0d
                                                                            • Instruction Fuzzy Hash: E732FA72629A8085D720DB18E8A069EFBA5F7D57C8F804112EACD47B68DF3DC547CB80
                                                                            Function 663602D8 Relevance: 23.2, APIs: 18, Instructions: 726COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: d48820d66fc5b81954cdd10ef2207dd9241b7ffb828f93a4dcc8de1664ff89ae
                                                                            • Instruction ID: ce22b39afe093cfb2af09a9f4d815bc9bfa24b31d625c2ccc33423ad772698c2
                                                                            • Opcode Fuzzy Hash: d48820d66fc5b81954cdd10ef2207dd9241b7ffb828f93a4dcc8de1664ff89ae
                                                                            • Instruction Fuzzy Hash: F642A132705B4087DB04DF2AD59462EBBA4FB9AF88F115521DE9E97B18DF3AC448C780
                                                                            Function 00007FFE1158B990 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 254commemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: String$Free$AllocBlanketClearCreateInstanceProxyVariant
                                                                            • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                            • API String ID: 355633934-3505469590
                                                                            • Opcode ID: aaa52eb986aae5c1f16a5a1d6b72837792449695601723a8ebf9004ca9a9f107
                                                                            • Instruction ID: 3be832116783ada7932c98ab075d4984d0710d7fce9fa54b7cb70e1f4714215f
                                                                            • Opcode Fuzzy Hash: aaa52eb986aae5c1f16a5a1d6b72837792449695601723a8ebf9004ca9a9f107
                                                                            • Instruction Fuzzy Hash: 94B14536A0AF4686EB14CF26E4902A877A8FF84BA8F1441B5DA4E17BB4DF3CD455C304
                                                                            Function 66394274 Relevance: 20.1, APIs: 4, Strings: 9, Instructions: 571COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4$BLOCK$S$S_VERSION_INFO$V$VALUE$arFileInfo$ranslation$tringFileInfo
                                                                            • API String ID: 0-1611817331
                                                                            • Opcode ID: 75e78232421c4ca6c43c2c05c44da78efe506c4da76316161725ff1d36485867
                                                                            • Instruction ID: 5b46bec3b361106af1fb4a132f2c5a5541a7f41cbffb53f09a07316dcf659491
                                                                            • Opcode Fuzzy Hash: 75e78232421c4ca6c43c2c05c44da78efe506c4da76316161725ff1d36485867
                                                                            • Instruction Fuzzy Hash: 3D021466A2825047DB14CF25D8902AEA792F786BCCF405310DAA65BB05FB3FC60ECF45
                                                                            Function 00007FFE1158D300 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 650COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskCurrentDirectory
                                                                            • String ID: UNC
                                                                            • API String ID: 3620719219-337201128
                                                                            • Opcode ID: 5b046d7fa66baca5fb7d4fc9d9ffb909ad7527c11db6fa34b6fab753a94c4cc0
                                                                            • Instruction ID: 792a494d35a9f455280296e24ca3408f161e3b5451ecadae52eb1b00d5ff9e1e
                                                                            • Opcode Fuzzy Hash: 5b046d7fa66baca5fb7d4fc9d9ffb909ad7527c11db6fa34b6fab753a94c4cc0
                                                                            • Instruction Fuzzy Hash: EA429062F19F4685EB00DBA7E0442AD23AAAB447B8F504275DE6D17BF9DE7CE085C300
                                                                            Function 663BC398 Relevance: 18.1, APIs: 14, Instructions: 599COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 663BAE40: free.MSVCRT ref: 663BAE78
                                                                              • Part of subcall function 663BAE40: free.MSVCRT ref: 663BAF52
                                                                            • free.MSVCRT ref: 663BC6EE
                                                                            • free.MSVCRT ref: 663BC702
                                                                              • Part of subcall function 66347CB8: VariantClear.OLEAUT32 ref: 66347CDD
                                                                            • free.MSVCRT ref: 663BC730
                                                                            • free.MSVCRT ref: 663BC744
                                                                            • free.MSVCRT ref: 663BC767
                                                                            • free.MSVCRT ref: 663BC753
                                                                              • Part of subcall function 6634FB68: free.MSVCRT ref: 6634FBB4
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1677346816-0
                                                                            • Opcode ID: cb00a5725c94814bb8cd54543861a76de88a056d2cc85c421b84e5df47393341
                                                                            • Instruction ID: 76d7080eb08eb91d5112cad6fca40bb74b8956a463928c41c9ddc03f23a61f66
                                                                            • Opcode Fuzzy Hash: cb00a5725c94814bb8cd54543861a76de88a056d2cc85c421b84e5df47393341
                                                                            • Instruction Fuzzy Hash: 04329C36705B888ADB24DF2AE85425EBBA4F795F84F458025DF9E87B28CF39C449C740
                                                                            Function 663AA0E0 Relevance: 17.8, APIs: 14, Instructions: 345COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp
                                                                            • String ID:
                                                                            • API String ID: 1475443563-0
                                                                            • Opcode ID: de44c8d327f1eb1917fe3a64e0ac5eb2be56ab42d9e628e2f39c267b9cf56c9b
                                                                            • Instruction ID: 1d63c4f20ef518eba240dafda6032bb2f54c24c3c9415e3a2160d32df946185e
                                                                            • Opcode Fuzzy Hash: de44c8d327f1eb1917fe3a64e0ac5eb2be56ab42d9e628e2f39c267b9cf56c9b
                                                                            • Instruction Fuzzy Hash: DDC11033958380A7DF24CF28D54026E77A9FB93B98F14441AD68943609DB3BC49DF7A8
                                                                            Function 6637A534 Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 285COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memmove$free$memcmp
                                                                            • String ID: EFI PART
                                                                            • API String ID: 3252486899-2496423277
                                                                            • Opcode ID: c0f264f6a189d7e1066cf2b280125a7e8ef6e6bc2f785357e1e39f66d176dfa4
                                                                            • Instruction ID: a2a1fc3efbb7c125f95dde3312c49175d788c87643af39fef9d5e44c814fc674
                                                                            • Opcode Fuzzy Hash: c0f264f6a189d7e1066cf2b280125a7e8ef6e6bc2f785357e1e39f66d176dfa4
                                                                            • Instruction Fuzzy Hash: 6AB1CF73714B8497DB24DF21E89079D7BA5F748B88F40452ADB8947B08EF39D5A9CB00
                                                                            Function 00007FFE11572300 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 400COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Char$BuffConcurrency::cancel_current_task
                                                                            • String ID: 5$CMT$u
                                                                            • API String ID: 502890492-924144299
                                                                            • Opcode ID: e34920b2b22aa77fc903e12c628470a9ab7f43efce3911ddfbc60a85bffe3c57
                                                                            • Instruction ID: ab8d7c00571f1161245ba7b1aa05dd10ad3f68932fe817b6d0b443190104d052
                                                                            • Opcode Fuzzy Hash: e34920b2b22aa77fc903e12c628470a9ab7f43efce3911ddfbc60a85bffe3c57
                                                                            • Instruction Fuzzy Hash: B2F1C262A18F8285EB109B27D4153BD2399FB457E8F9442B2EA5E07AF9DF3CE541C700
                                                                            Function 00007FFE115A42A0 Relevance: 15.9, APIs: 10, Instructions: 919COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 5f8e10e38d709957a9f8e63098fcac84d2b5a097fc5005d929227aa536694d2e
                                                                            • Instruction ID: 1804d0dcf4dd7b6c85ae5805fd8e914f05a2be4897fa7d2535c00efc0046a51a
                                                                            • Opcode Fuzzy Hash: 5f8e10e38d709957a9f8e63098fcac84d2b5a097fc5005d929227aa536694d2e
                                                                            • Instruction Fuzzy Hash: AC82DF22B58F8286EB00CBA6F4442AD6BA9FB447A8F544276DA5D17BF5DF3CD085C340
                                                                            Function 663B0748 Relevance: 14.6, APIs: 6, Strings: 3, Instructions: 1070COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: bzip2$octet-stream$zlib
                                                                            • API String ID: 0-420118634
                                                                            • Opcode ID: 7b0fed49fc4b8b79601d3032b98acf9beb1e11d2cb41462f32b4b72c4a612b07
                                                                            • Instruction ID: ad8c0ec2bb7e444babe5cc6f57b8d45a476c83c020fea48cdafc766f6daa3774
                                                                            • Opcode Fuzzy Hash: 7b0fed49fc4b8b79601d3032b98acf9beb1e11d2cb41462f32b4b72c4a612b07
                                                                            • Instruction Fuzzy Hash: 1592D376214B84C6DB18DF2AE4A461EBBB0F79AF85F019912DE9E47B24CF39C448C744
                                                                            Function 00007FFE115892C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 451COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Time$System$CurrentFileProcess
                                                                            • String ID: .rartemp
                                                                            • API String ID: 665854642-2558811017
                                                                            • Opcode ID: 3a9f7382d13921b1593382963c3b02240b33158a64aae9c9fb95d7fe2a73f35b
                                                                            • Instruction ID: 188d106fb842501271ecf26e787c6cb11b1b46b41acddd25acc0d39862b8b24b
                                                                            • Opcode Fuzzy Hash: 3a9f7382d13921b1593382963c3b02240b33158a64aae9c9fb95d7fe2a73f35b
                                                                            • Instruction Fuzzy Hash: 3102A422B28B9285EB00CB6AE4453AD7369FB847A4F505275EA5D17BF9EF7CD081C300
                                                                            Function 663D6E64 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 466COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$memcmpmemmove
                                                                            • String ID: MSCF
                                                                            • API String ID: 2618254165-1646999414
                                                                            • Opcode ID: 01493167a3a9d506d3c107976a263182f35efbb73e31eeee7cc064d21f3f4f06
                                                                            • Instruction ID: 81b3bac30f7c45c51b106210de78ab78d8f0effd16755836a60c291691f1f12c
                                                                            • Opcode Fuzzy Hash: 01493167a3a9d506d3c107976a263182f35efbb73e31eeee7cc064d21f3f4f06
                                                                            • Instruction Fuzzy Hash: F312BC33214B8487C760CF2AE89065EBBB9FB8AB84F505115EBDA43B14DF3AD595CB40
                                                                            Function 00007FFE11575F90 Relevance: 13.0, APIs: 6, Strings: 1, Instructions: 788COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID: CMT
                                                                            • API String ID: 3668304517-2756464174
                                                                            • Opcode ID: a3b793be63ac3b3a06c0b8017877987e5d14b1c7408ba189ccf11993aec05dfb
                                                                            • Instruction ID: 2c2e6c77a67964f5a572fa5779d731de0bc3c3abd1081bf6bc4245294886ddf8
                                                                            • Opcode Fuzzy Hash: a3b793be63ac3b3a06c0b8017877987e5d14b1c7408ba189ccf11993aec05dfb
                                                                            • Instruction Fuzzy Hash: 5272AE72A18B8285FB109B76D4523ED37A9FB407A8F844176DA4E0B6FADE3CE445C350
                                                                            Function 00007FFE1158C6C0 Relevance: 12.3, APIs: 8, Instructions: 301COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: FullNamePath$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 2750628778-0
                                                                            • Opcode ID: e25898e3f4afdf21f7b40704b6a07bfc91ca04030695392d55d4f6a818125599
                                                                            • Instruction ID: b5912f771c12c184965b68a8244df44d9a0d787db339741477ea7876810a4f7c
                                                                            • Opcode Fuzzy Hash: e25898e3f4afdf21f7b40704b6a07bfc91ca04030695392d55d4f6a818125599
                                                                            • Instruction Fuzzy Hash: 56C1B122F24E4281FB14DB67E5486BC62A9AB44BF4F504275DA6D57AF4DFBCA4C1C300
                                                                            Function 6636E38C Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 291COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Qtd
                                                                            • API String ID: 0-1435435203
                                                                            • Opcode ID: e190ae3b7d8514106fa1e997e37ce0616c84e202f4efa7fa77ea61924459f088
                                                                            • Instruction ID: 2626120ac731d158b0a2d85dade0c7179ee1ed6df976fb3e4f1c686ce3cb67c5
                                                                            • Opcode Fuzzy Hash: e190ae3b7d8514106fa1e997e37ce0616c84e202f4efa7fa77ea61924459f088
                                                                            • Instruction Fuzzy Hash: 90B1DC227097C097DA149F27DA5076D7BB0F784B89F405125EF8A8BB58EB39E0B8C300
                                                                            Function 663845A8 Relevance: 11.9, APIs: 9, Instructions: 654COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: fbff0e185a0478304f1ae6c6ec1f9d11b5b1bae5e3ea883d028ed6f45161e5e3
                                                                            • Instruction ID: 929e70b5de3ca44499d11c2c8346179b46ccb6b1714634107c66c176fb8c70d6
                                                                            • Opcode Fuzzy Hash: fbff0e185a0478304f1ae6c6ec1f9d11b5b1bae5e3ea883d028ed6f45161e5e3
                                                                            • Instruction Fuzzy Hash: 44328E76604B8087EB14DF2AD05476EBBB8F79AF88F015429DB9A03B16DF3AC458C740
                                                                            Function 00007FFE1158A190 Relevance: 10.7, APIs: 7, Instructions: 193fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                            • String ID:
                                                                            • API String ID: 474548282-0
                                                                            • Opcode ID: 18e3021a8db6ef5bbed99d94c059b938b93d290ba1f615cc6e6f89ff5d319e3d
                                                                            • Instruction ID: 6f6df60ab4d5ae22e092b1342f364a2939ef6da911da6d7b905b28897a7163dc
                                                                            • Opcode Fuzzy Hash: 18e3021a8db6ef5bbed99d94c059b938b93d290ba1f615cc6e6f89ff5d319e3d
                                                                            • Instruction Fuzzy Hash: 75818022A18E8686DF209B16F44426A63A5FB857B4F501371EABE07AF5DF7CE184C700
                                                                            Function 00007FFE115A68B8 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                            • String ID:
                                                                            • API String ID: 3140674995-0
                                                                            • Opcode ID: 844c71af930698839e4628accb3ea63ceabf8124b89d9cb005e16f0d609bd085
                                                                            • Instruction ID: d214cc3e7ecd3788841ab3499f2fdc2b6b172f7450aec6ea0ad1dce598234753
                                                                            • Opcode Fuzzy Hash: 844c71af930698839e4628accb3ea63ceabf8124b89d9cb005e16f0d609bd085
                                                                            • Instruction Fuzzy Hash: 7A314A72609E828AEB609F61E8503ED7369FB84754F44443ADA4E47BB8DF3CD648C714
                                                                            Function 00007FFE11595C90 Relevance: 9.1, APIs: 6, Instructions: 131timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                                            • String ID:
                                                                            • API String ID: 2092733347-0
                                                                            • Opcode ID: ec1290c0df370c29627172e8959e33bbc6081dc4309c865513c2f9de3d81c096
                                                                            • Instruction ID: 2c151f0da81b0d2e805f28a2d9685144ec5f09c1273e8f668e9dc432fe66b1bd
                                                                            • Opcode Fuzzy Hash: ec1290c0df370c29627172e8959e33bbc6081dc4309c865513c2f9de3d81c096
                                                                            • Instruction Fuzzy Hash: E351A0B2F10A558AEB54CFAAE4405AC3BB9F748798B508036EE0E57B68DF3CD955C700
                                                                            Function 00007FFE115AAC68 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                            • String ID:
                                                                            • API String ID: 1239891234-0
                                                                            • Opcode ID: d3035f9854c16e320fb29c4da654b9775189e59ff324e0c0979443c43923e631
                                                                            • Instruction ID: 7413a9c8a64813efa9832e5c5d700d50dd8374c7cecbed3ea7d976da6638564a
                                                                            • Opcode Fuzzy Hash: d3035f9854c16e320fb29c4da654b9775189e59ff324e0c0979443c43923e631
                                                                            • Instruction Fuzzy Hash: 60315236618F8186DB60CF26E8402AE77A8FB84764F504175EA9E43BB5DF3CD555CB00
                                                                            Function 00007FFE11582760 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                            • String ID:
                                                                            • API String ID: 3398352648-0
                                                                            • Opcode ID: a51ad40eba6dc9a0be79e4ddeb392e2a62d7b4c12689208cea99d479d9de0304
                                                                            • Instruction ID: 3337acf325dd58baf33102f24540f3023eb2db8b29e010bd03571a7f598b99c6
                                                                            • Opcode Fuzzy Hash: a51ad40eba6dc9a0be79e4ddeb392e2a62d7b4c12689208cea99d479d9de0304
                                                                            • Instruction Fuzzy Hash: 2B115471A18F4182EB508F23F45466ABBE9FB84B90F544075EA8E47678DF3CD045CB40
                                                                            Function 00007FFE115A4900 Relevance: 6.5, APIs: 4, Instructions: 453COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 31670ab7779b45620db84b3de922860bbe80b817da5972bdd4ab5f37a51f129c
                                                                            • Instruction ID: b0aab3f078572cd55e6673f7e3114a8e88ee50e9ebb0cde3962aa42bf8b4538f
                                                                            • Opcode Fuzzy Hash: 31670ab7779b45620db84b3de922860bbe80b817da5972bdd4ab5f37a51f129c
                                                                            • Instruction Fuzzy Hash: 1A12C132B18F8186EB008B26F4842AE6BA9FB847A4F544176EA9D477F5DF3CD485C700
                                                                            Function 66348168 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FileTimeToLocalFileTime.KERNEL32 ref: 663481CA
                                                                            • FileTimeToSystemTime.KERNEL32 ref: 663481E2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Time$File$LocalSystem
                                                                            • String ID: gfff
                                                                            • API String ID: 1748579591-1553575800
                                                                            • Opcode ID: e442ddd5456a4968179ba4fdba5d66afdee67cd6bb57a7b86fef6b2b8ec411e7
                                                                            • Instruction ID: e93346d3aeca65c9afc572b20f2d27daced69860e7c754d1b604fa77538cf7a9
                                                                            • Opcode Fuzzy Hash: e442ddd5456a4968179ba4fdba5d66afdee67cd6bb57a7b86fef6b2b8ec411e7
                                                                            • Instruction Fuzzy Hash: 48818657F082C04BD3199B3CA845BCEBFE0E391748F098614DB948B7AAE67EC40AD751
                                                                            Function 00007FFE115ADE74 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FFE115ADEA4
                                                                              • Part of subcall function 00007FFE115AAEC4: GetCurrentProcess.KERNEL32(00007FFE115AF0AD), ref: 00007FFE115AAEF1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                            • String ID: *?$.
                                                                            • API String ID: 2518042432-3972193922
                                                                            • Opcode ID: 6f164420443d075a16872e2eade68600407f786c926464b27d9f818a933559bb
                                                                            • Instruction ID: a2a508576b9ec6a331929116688fd48703361d4a7571966646eaf36dbbb0f296
                                                                            • Opcode Fuzzy Hash: 6f164420443d075a16872e2eade68600407f786c926464b27d9f818a933559bb
                                                                            • Instruction Fuzzy Hash: A251D362B55F9586EB10DFA3A8404BD77A9FB58BE8B444531DE1D17BA5EF3CD0428300
                                                                            Function 6634614C Relevance: 4.6, APIs: 3, Instructions: 70fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 66346120: FindClose.KERNEL32 ref: 66346132
                                                                            • FindFirstFileW.KERNEL32 ref: 6634618E
                                                                              • Part of subcall function 663429BC: free.MSVCRT ref: 663429F6
                                                                              • Part of subcall function 663429BC: memmove.MSVCRT ref: 66342A11
                                                                            • FindFirstFileW.KERNEL32 ref: 663461CE
                                                                            • free.MSVCRT ref: 663461DC
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Find$FileFirstfree$Closememmove
                                                                            • String ID:
                                                                            • API String ID: 2921071498-0
                                                                            • Opcode ID: 29222c2d11f437ed54da478691867cee43dac45061d0ac0459974103af2dd01d
                                                                            • Instruction ID: ec946663da21869503152d0070572236036fe16d52db4a18a7ad216733ae31b5
                                                                            • Opcode Fuzzy Hash: 29222c2d11f437ed54da478691867cee43dac45061d0ac0459974103af2dd01d
                                                                            • Instruction Fuzzy Hash: BA212C72608B409ADB10DF25E85039DA7A1F78ABB8F504324EABD47BD9DF3AC559C700
                                                                            Function 00007FFE11595390 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                            • String ID:
                                                                            • API String ID: 3429775523-0
                                                                            • Opcode ID: e95f13a6cf0de92122b4de6ed38ac9dd6b6e99ee189da60b4ce95c6e8ae777b9
                                                                            • Instruction ID: 833b5ba80630545152c37189803a2b14ece3cd7938b149d8763e38f05cec3366
                                                                            • Opcode Fuzzy Hash: e95f13a6cf0de92122b4de6ed38ac9dd6b6e99ee189da60b4ce95c6e8ae777b9
                                                                            • Instruction Fuzzy Hash: 1011DDB2618B4587E7108F26F49135ABBA5F788754F501129E68D47B78DF3CD044CF40
                                                                            Function 00007FFE115729E0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 413COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID: <
                                                                            • API String ID: 3668304517-4251816714
                                                                            • Opcode ID: 5fe9d3b96eb31bc47bfb8448c0fdf968f875056807f9144d512d4132062e9216
                                                                            • Instruction ID: b56a200b1c4b45d995b35a530053f0b2047495ccb2964e2d37452a4e39c07c80
                                                                            • Opcode Fuzzy Hash: 5fe9d3b96eb31bc47bfb8448c0fdf968f875056807f9144d512d4132062e9216
                                                                            • Instruction Fuzzy Hash: 8C029122A0CF9585EB608F22D4463B927A9FB45BE8F8840B6CA4D477B5CF7CE485C710
                                                                            Function 00007FFE115AE080 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .
                                                                            • API String ID: 0-248832578
                                                                            • Opcode ID: d9ddd8193cc93e6d4613e46c8eb4771cc70c6bd36bb8ba9d645dff48f2a77c94
                                                                            • Instruction ID: 4990338336097b0d925ab071015dec878a5eec9294bac4b1d5768b663d2df3ca
                                                                            • Opcode Fuzzy Hash: d9ddd8193cc93e6d4613e46c8eb4771cc70c6bd36bb8ba9d645dff48f2a77c94
                                                                            • Instruction Fuzzy Hash: AC31C622B14EA149FB609A63B8057AA7A99FB85BF4F148775EE5C07BF5CE3CD5018300
                                                                            Function 00007FFE115860F0 Relevance: 3.3, APIs: 2, Instructions: 313COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorFileLast_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3294793572-0
                                                                            • Opcode ID: 591d41de648a6a36ca323458f5c1563af4e5bb4f9c81f1ac7623bca7c2d651a0
                                                                            • Instruction ID: 5162bad329ad1e5a6e7afcb7755503c1e5a0d383464266af60a0dba8c9eeca26
                                                                            • Opcode Fuzzy Hash: 591d41de648a6a36ca323458f5c1563af4e5bb4f9c81f1ac7623bca7c2d651a0
                                                                            • Instruction Fuzzy Hash: 75D19E32B28A8182EB10CF27F8542AD63A9FB84BA4F504175EA5D47BB9DF3CD495C700
                                                                            Function 00007FFE115B2328 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionRaise_clrfp
                                                                            • String ID:
                                                                            • API String ID: 15204871-0
                                                                            • Opcode ID: d956be29c3cf90fbd35b3b3e7d06d13f311eb7d02f94229c3f4e3219daacf266
                                                                            • Instruction ID: 2cff08f664c9a0cc14f894bfec17ae26b00460dc90ab4f34c174def131711d38
                                                                            • Opcode Fuzzy Hash: d956be29c3cf90fbd35b3b3e7d06d13f311eb7d02f94229c3f4e3219daacf266
                                                                            • Instruction Fuzzy Hash: D9B16A73600B888BEB15CF2AC88636C3BA5F744B98F158962DA5D87BB4CB3DE451C714
                                                                            Function 66368414 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 215COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp
                                                                            • String ID:
                                                                            • API String ID: 1475443563-3916222277
                                                                            • Opcode ID: cda02a741adeb0e17e13a392ce442c581278997b5a0b69397317408b3a5a43a6
                                                                            • Instruction ID: 9f9513d318f57ba1a89016ae67e7aaee7003c79096a4e17257012dbec1cf6a1e
                                                                            • Opcode Fuzzy Hash: cda02a741adeb0e17e13a392ce442c581278997b5a0b69397317408b3a5a43a6
                                                                            • Instruction Fuzzy Hash: 4481D1B2B256419BD728CF2AD45075D3BA2F78AB8DF004119CF4A8775CDB76C489CBA0
                                                                            Function 00007FFE1159CB40 Relevance: 3.2, APIs: 2, Instructions: 172COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 73155330-0
                                                                            • Opcode ID: d103e249d1597aac99b8953cb8cdd8dc655e9cb8966260ac812ae4594858d48a
                                                                            • Instruction ID: a349653f902cf1aa8a021449ce593fcda9aed1da90cc1445f86bb52699153bd8
                                                                            • Opcode Fuzzy Hash: d103e249d1597aac99b8953cb8cdd8dc655e9cb8966260ac812ae4594858d48a
                                                                            • Instruction Fuzzy Hash: 61513572A18B8982DB18CF26D54027CB795EB84BA4F148235DA9E07BF8CF3CE441CB51
                                                                            Function 663E62F8 Relevance: 2.8, APIs: 2, Instructions: 252COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp
                                                                            • String ID:
                                                                            • API String ID: 1475443563-0
                                                                            • Opcode ID: 383862ac8c850411170287a815d550a255fa54f04d2e4ad05c1f972742cf923f
                                                                            • Instruction ID: a513bca89da9ebca22c6d94714b2a9a040257527f25be30bc64ac67c1c669d5f
                                                                            • Opcode Fuzzy Hash: 383862ac8c850411170287a815d550a255fa54f04d2e4ad05c1f972742cf923f
                                                                            • Instruction Fuzzy Hash: 13A1C432714BA082EB24CF2AE55478EB764F786BA4F404227DFA987B94DF39D059C710
                                                                            Function 00007FFE1158E1F0 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Xinvalid_argument_invalid_parameter_noinfo_noreturnstd::_
                                                                            • String ID:
                                                                            • API String ID: 1132134225-0
                                                                            • Opcode ID: 992d1c29870945280cbb6247c4f6a6cfdd2ad85839074118602ace653cb548d5
                                                                            • Instruction ID: 70b6a14604a0c3b4bfe32264aecccb23acd0ccadd2c9ad7023b2065beb87b6f9
                                                                            • Opcode Fuzzy Hash: 992d1c29870945280cbb6247c4f6a6cfdd2ad85839074118602ace653cb548d5
                                                                            • Instruction Fuzzy Hash: 01F1BF32B18F6685EB149B67E1542BC23BAFB40BA8F404076CA4D576B8DF7CE4A5D340
                                                                            Function 00007FFE11596860 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3668304517-0
                                                                            • Opcode ID: 76f22d37b5ef7796baed30bead5d7fc894749141623fed52dffe3152db48edbd
                                                                            • Instruction ID: 864c5cece0635acccfa50a1fba0f0dc87f90ecd8cc34b625d2ea5874b4a9169c
                                                                            • Opcode Fuzzy Hash: 76f22d37b5ef7796baed30bead5d7fc894749141623fed52dffe3152db48edbd
                                                                            • Instruction Fuzzy Hash: 51D15522F18EA981EB14CB27D4051BD37AAEB44BA4F448171DA6E47BB8DE7CD04AC315
                                                                            Function 00007FFE1157E2D0 Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7dc360899b8e3927c55e4e6b229693d33cc58803fd2617b3dfab2581677b052c
                                                                            • Instruction ID: 3e650a1b3c7c2f935ee8228356498fdceee6ebfbb1fca57df997d630cc72ff31
                                                                            • Opcode Fuzzy Hash: 7dc360899b8e3927c55e4e6b229693d33cc58803fd2617b3dfab2581677b052c
                                                                            • Instruction Fuzzy Hash: C8B1E072A08B929AE728CF36D1452ED77A5FB04B88F888076DB1D472B5CF3CA561C740
                                                                            Function 00007FFE115946B0 Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 0575b44c4ca43c02b69e47fe5fcd20661937382df4f9d83afb9157b856ab158d
                                                                            • Instruction ID: 2490de10e2ccaf0e0988353b92f0e7afff8adf71e94ff4d5c4ddcb6a6ab3c452
                                                                            • Opcode Fuzzy Hash: 0575b44c4ca43c02b69e47fe5fcd20661937382df4f9d83afb9157b856ab158d
                                                                            • Instruction Fuzzy Hash: 7CE128777182448FC395CF2DE448A4AB7E5F38C748B259525EA48D3B18D73AEA46CF40
                                                                            Function 00007FFE1159A970 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: 3b873119496334597b55e8f1f37cc02753de1a98d71e60dbd859ee3ebef3a096
                                                                            • Instruction ID: 9b13198ed5291ebfdb87630cbc8c7e9b17ae0eb8619a34d9c4b5306027e892df
                                                                            • Opcode Fuzzy Hash: 3b873119496334597b55e8f1f37cc02753de1a98d71e60dbd859ee3ebef3a096
                                                                            • Instruction Fuzzy Hash: D8E1F232A18B8687EB098F2AE5802BDB3A8FB85714F504275DB5E436B0EF3CE555C711
                                                                            Function 00007FFE11577AA0 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: gj
                                                                            • API String ID: 0-4203073231
                                                                            • Opcode ID: 5cdc642adcdae1f0390f55275b15b7c37d54c4be938623f79e2799d404da2235
                                                                            • Instruction ID: ab66fad3e747839d2677e33dff199ef5ce873fb81cfe929404dd43d8c57865f9
                                                                            • Opcode Fuzzy Hash: 5cdc642adcdae1f0390f55275b15b7c37d54c4be938623f79e2799d404da2235
                                                                            • Instruction Fuzzy Hash: 1AE136B7B242908FE354CFBAD040A9D7BB1F748B8CB419125EF19ABB19D634E951CB40
                                                                            Function 66444670 Relevance: 1.6, APIs: 1, Instructions: 304COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 27e5bcb7d4fddafec0039c6478eb5c7f85e185306ff20a07a22aac098e605b4d
                                                                            • Instruction ID: 98d017cbfca9ebdb724db072d724dc972e2baa0c9795fa996b1f5243282e72c9
                                                                            • Opcode Fuzzy Hash: 27e5bcb7d4fddafec0039c6478eb5c7f85e185306ff20a07a22aac098e605b4d
                                                                            • Instruction Fuzzy Hash: 70B14673B182D48BE7149F28E801B9EBA61F3D57C8F548229DA8967B89C67CD506CB40
                                                                            Function 6643E660 Relevance: 1.5, APIs: 1, Instructions: 298COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: 7b2178252ba58a44f76c562b00263781cc33e7b2ebcf51eadb8f90a352b67534
                                                                            • Instruction ID: c466093f027473f756f13efd5cc239e367a5d7f9b900eb6a70a73b37a15c23b5
                                                                            • Opcode Fuzzy Hash: 7b2178252ba58a44f76c562b00263781cc33e7b2ebcf51eadb8f90a352b67534
                                                                            • Instruction Fuzzy Hash: A5B14472A217A48BD358DF2AE58071E77B5F389781F10521AD78A63F84DB38E875CB00
                                                                            Function 00007FFE1158B8D0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: String$AllocBlanketCreateFreeInstanceProxyVersion
                                                                            • String ID:
                                                                            • API String ID: 3764677576-0
                                                                            • Opcode ID: 0b5ce0934d75c6fa72b033dba01c137c3374fa0afb05718bbb60e3a1b7493e46
                                                                            • Instruction ID: 5db2de1cf0e879af096fc3219cbbf7f2fc6bb9547cd1a254344d68ba504586a3
                                                                            • Opcode Fuzzy Hash: 0b5ce0934d75c6fa72b033dba01c137c3374fa0afb05718bbb60e3a1b7493e46
                                                                            • Instruction Fuzzy Hash: 8A113A2AD0CDC289FB609B63B4153B527ACAB96728FC010B5D59D0A2F2EF3CA1458B01
                                                                            Function 66476ED0 Relevance: 1.5, APIs: 1, Instructions: 284COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: efdfc7bfda3e8c3bd7b7b7c88dcfe23be033f26d7b77248a202025f96f5f3192
                                                                            • Instruction ID: 2689524f2bbe01671943aac672c48680b1b0964c6a8ef8af9ef1445823092de8
                                                                            • Opcode Fuzzy Hash: efdfc7bfda3e8c3bd7b7b7c88dcfe23be033f26d7b77248a202025f96f5f3192
                                                                            • Instruction Fuzzy Hash: 69B1F17361DAC086D3258F29E850BEEBFA2F3D5744F948229DAD983B48DA3DD145CB00
                                                                            Function 00007FFE115ABED8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: 7bb9e7cbc6e148987e8eec05001feba88cbcd6b885d632e9a1d121f19928d27c
                                                                            • Instruction ID: 49712180493a97e1debb4f0f5e42f9eed8cbc8508b4c43802769e6d3be5e885e
                                                                            • Opcode Fuzzy Hash: 7bb9e7cbc6e148987e8eec05001feba88cbcd6b885d632e9a1d121f19928d27c
                                                                            • Instruction Fuzzy Hash: 9041A062714E4486EF08CF2AE8142A977A9F748FE4B8A9036DE0D877B4EE3DD445C340
                                                                            Function 6646A330 Relevance: 1.4, APIs: 1, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID:
                                                                            • API String ID: 2221118986-0
                                                                            • Opcode ID: 4caef102a81bef3796f3ae995342719b050bf3c1f25eaf3942e33a28e5076a3d
                                                                            • Instruction ID: 05256ad48a546c629737dbe969fff7f1cf0cbc17df198dd21de45800beef51a7
                                                                            • Opcode Fuzzy Hash: 4caef102a81bef3796f3ae995342719b050bf3c1f25eaf3942e33a28e5076a3d
                                                                            • Instruction Fuzzy Hash: B841DDB2620B808BC325CF2AE44078AF7B1F789784F54D215DB9AA3B94EB7CE545C700
                                                                            Function 00007FFE115AF100 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: HeapProcess
                                                                            • String ID:
                                                                            • API String ID: 54951025-0
                                                                            • Opcode ID: f54549da4eb71df9af30a638d4af15f834b9019a2834473c3b9c952035e11af9
                                                                            • Instruction ID: 5e77b78f146d5ab880863cefb6753ceaca470305138f249d3605409fa958cdf6
                                                                            • Opcode Fuzzy Hash: f54549da4eb71df9af30a638d4af15f834b9019a2834473c3b9c952035e11af9
                                                                            • Instruction Fuzzy Hash: 9BB09220E07E02C2EB482B226C8222962FDBF48720FDA00B8C00E90330DE2C20E56700
                                                                            Function 00007FFE115A25F0 Relevance: .9, Instructions: 897COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8cad335f85fac8b4d136ca43d5471e75163cb72e28bf0234d712d6183cfd2c37
                                                                            • Instruction ID: dd65b58fcab8f76588055ec5bbb0a3dcfa84303678448eb7c6ea9f9e6b135829
                                                                            • Opcode Fuzzy Hash: 8cad335f85fac8b4d136ca43d5471e75163cb72e28bf0234d712d6183cfd2c37
                                                                            • Instruction Fuzzy Hash: 0F82ABB3A19AE586DB548F26E004BBC7FA9FB11B94F19C176DA4907BA1CE3CD841C710
                                                                            Function 00007FFE11577F30 Relevance: .9, Instructions: 893COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f5ed96e2391a81e13d781519e2f5793317d11819654f9ed1310036d5f95db78a
                                                                            • Instruction ID: ac82253a23a9311ff9485fb8d89b033d4c2efb3a1097a176fd89e1fc95297864
                                                                            • Opcode Fuzzy Hash: f5ed96e2391a81e13d781519e2f5793317d11819654f9ed1310036d5f95db78a
                                                                            • Instruction Fuzzy Hash: 6762719AD3AF9A1EE313A53954132D2E35C0EF74C9551E31BFCE430E66EB91A6831314
                                                                            Function 66480130 Relevance: .6, Instructions: 628COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e0748de627f4008d33ac3007bc49749048c74b9284d36fc8040e38f12617ee49
                                                                            • Instruction ID: 166577063cb597a8802a143d748ad33d6c754e754b63b4da9a4680615490ce0c
                                                                            • Opcode Fuzzy Hash: e0748de627f4008d33ac3007bc49749048c74b9284d36fc8040e38f12617ee49
                                                                            • Instruction Fuzzy Hash: 41127EB7F751605BC355CF2DEC82F8676A2B7A434CB49D424AB05D2F09E23DFA059A40
                                                                            Function 66392234 Relevance: .6, Instructions: 627COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d8d45cd48a2a61bd6e018b40b2967479d2a895b4bc6f34ba1258eaef1adae900
                                                                            • Instruction ID: f3c9a5f22090757fbedff687811908d8d63a0e1bafbe53b55425da3dff30660a
                                                                            • Opcode Fuzzy Hash: d8d45cd48a2a61bd6e018b40b2967479d2a895b4bc6f34ba1258eaef1adae900
                                                                            • Instruction Fuzzy Hash: 65323676325F8186DB18DF2AD1A462EB764F78AFC5B009621DE5E43B28DF39C458CB40
                                                                            Function 00007FFE115A1D30 Relevance: .6, Instructions: 576COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dc7d1692ea32dfe0cb7e95192ca08eb90a5de4831c1715c248d12617ba31fc30
                                                                            • Instruction ID: 140220b4be0a388f204a6482561b9af8c2f5fe80c0cb8d3ac21bb7a660678fd8
                                                                            • Opcode Fuzzy Hash: dc7d1692ea32dfe0cb7e95192ca08eb90a5de4831c1715c248d12617ba31fc30
                                                                            • Instruction Fuzzy Hash: CB3208B36085918BE718CF25E044BBC77A6F794B98F15C136DB4A47BA8DA3CE944CB10
                                                                            Function 00007FFE115999ED Relevance: .5, Instructions: 492COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 477756b0017128df6dc2c003b0d52beb36510c7c65ec01eb13f0982c9b8f2e74
                                                                            • Instruction ID: 1957c20da0721a4ed24605c81b46669bddf2480a04bda999794969c8ae5e40e5
                                                                            • Opcode Fuzzy Hash: 477756b0017128df6dc2c003b0d52beb36510c7c65ec01eb13f0982c9b8f2e74
                                                                            • Instruction Fuzzy Hash: 0B123AB36185A58BE7188F26D0447BC3766F741B58F14813ADA4B4BBA8CF3DE840DB52
                                                                            Function 664621A0 Relevance: .4, Instructions: 391COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cec72c095c9f63ce922b5d7d356324eab2f6aaa055d7e4796847569f74a1b42
                                                                            • Instruction ID: 255d7551dc6a4d7c5c9afc18f98b562667ec6f53e5319aa2a4b6aca08159afcd
                                                                            • Opcode Fuzzy Hash: 0cec72c095c9f63ce922b5d7d356324eab2f6aaa055d7e4796847569f74a1b42
                                                                            • Instruction Fuzzy Hash: 24E1ADB2618790DACB25CF3AC550A5E7BB2F345B89B104129DF8AC7B58DF79C491CB00
                                                                            Function 00007FFE11591DE0 Relevance: .3, Instructions: 345COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 201200eb8d017a1962f3782ac058fe75f7e37042e6978776fe8aaa7b57d3c31a
                                                                            • Instruction ID: b6484b8c1e579d4183f933a65337f44947c18b34026c112a09537c1bbab128cb
                                                                            • Opcode Fuzzy Hash: 201200eb8d017a1962f3782ac058fe75f7e37042e6978776fe8aaa7b57d3c31a
                                                                            • Instruction Fuzzy Hash: 3DF1D0736186A4CBD311CF2AA0404BF7BA0F3A9789F859216EBC697795DB3CE505CB10
                                                                            Function 00007FFE11599F10 Relevance: .3, Instructions: 341COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aafc4c7bc98d33d8e295af35a757318634a86b1c1fb7f163754fb340da092523
                                                                            • Instruction ID: b57f33fc9d74e221825e669208c0f27cb70d79fe0133b30f1d742e035b24842a
                                                                            • Opcode Fuzzy Hash: aafc4c7bc98d33d8e295af35a757318634a86b1c1fb7f163754fb340da092523
                                                                            • Instruction Fuzzy Hash: B6E11632B08A4A97EB198F2AE4842BDB368FB80754F404275DB5E437B1EF3CA595C311
                                                                            Function 6646A730 Relevance: .3, Instructions: 337COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ed16c744aa2151e46484d8630fd2deb52a6479d13cbdea056ab7e990247c17f1
                                                                            • Instruction ID: 71a2e2018f86add6678c17bb1c5769d4489d7856943a54aa71e43a515c33ad0c
                                                                            • Opcode Fuzzy Hash: ed16c744aa2151e46484d8630fd2deb52a6479d13cbdea056ab7e990247c17f1
                                                                            • Instruction Fuzzy Hash: DBD1BF77A15AE48BC709CF3AD04095DBBB1FB44F88B188126DB89C3758EB39D5A5CB40
                                                                            Function 00007FFE1159C2C0 Relevance: .3, Instructions: 306COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5415d88764e052b7cc053fc60ae1d128c9d1c3aabcee9cea4bb9644f515e39a9
                                                                            • Instruction ID: cfeaacbb406e857fab676d514b6e3d0a5ae8e0261e5da1590e3101affe451d19
                                                                            • Opcode Fuzzy Hash: 5415d88764e052b7cc053fc60ae1d128c9d1c3aabcee9cea4bb9644f515e39a9
                                                                            • Instruction Fuzzy Hash: 65C1E173A18A858AEB20CF2AD0543FC2764FB94358F518175DA4E47AB6EF3CE685C341
                                                                            Function 00007FFE1159BE40 Relevance: .3, Instructions: 306COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 111de2ef078acda115f9b5375dac22ea22837e25c9e9003cc67f4d325144607e
                                                                            • Instruction ID: fa890ed7eac52a3b2e63a0d40666e2750188f67924d3695c8a483e8737134c55
                                                                            • Opcode Fuzzy Hash: 111de2ef078acda115f9b5375dac22ea22837e25c9e9003cc67f4d325144607e
                                                                            • Instruction Fuzzy Hash: 22C144B3B18A899BEB18CB16D244BBDB769F754350F408175CB5A43BA0DB3DE461CB02
                                                                            Function 00007FFE1157B360 Relevance: .3, Instructions: 278COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 61a8b7ac27296479e545b1b2f109a1ce6dfe65e7b074690143c8e50b3e2e0259
                                                                            • Instruction ID: 0ab908e5229b81ace56e1f2a3df528a6e5d59f2685469e56cfeb3f094f6bbed1
                                                                            • Opcode Fuzzy Hash: 61a8b7ac27296479e545b1b2f109a1ce6dfe65e7b074690143c8e50b3e2e0259
                                                                            • Instruction Fuzzy Hash: 00B138A223D5F446F7104B3E1504AA97ED0F3C6B46F88A231EED94BBA6C63DC502DB50
                                                                            Function 00007FFE1157B980 Relevance: .3, Instructions: 276COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4d280883f1126ac7ed789e6ef497116748f2b1ad1fa5b9b856088123ba8e5492
                                                                            • Instruction ID: 66606b269685743dd799922639dd2fa9b7e27105c37ceeed218f28d9f069eced
                                                                            • Opcode Fuzzy Hash: 4d280883f1126ac7ed789e6ef497116748f2b1ad1fa5b9b856088123ba8e5492
                                                                            • Instruction Fuzzy Hash: ADB1F9A22395F446E7014B3E4504AA97ED0F3CAB46F89B231EED94BB66C63DC502DB50
                                                                            Function 00007FFE1157C9A0 Relevance: .3, Instructions: 273COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 10002733c0ec1ef72d31c188d20fce8b1a4baa32328c374bc302822310700280
                                                                            • Instruction ID: cc4c790f04bbebf5edb5cbbfce8cd89ba8a8d1bb21a98ecf53fd3f52fc3f9482
                                                                            • Opcode Fuzzy Hash: 10002733c0ec1ef72d31c188d20fce8b1a4baa32328c374bc302822310700280
                                                                            • Instruction Fuzzy Hash: 2BD1AF13E18FC586EB21CF29D9056FD6724FBA9758F419325DF8D16A66EF28E284C300
                                                                            Function 00007FFE1159C750 Relevance: .3, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: efe8411406935571b5fcc9386beaf6bf0595e028845258005ce2e597c45f6821
                                                                            • Instruction ID: 5def98cce76834fcc02732f53565a410c3228c093e2a98e34700dca48d83b776
                                                                            • Opcode Fuzzy Hash: efe8411406935571b5fcc9386beaf6bf0595e028845258005ce2e597c45f6821
                                                                            • Instruction Fuzzy Hash: 94A14972A0C98986FB24CB16E0547BE3699EB90764F5141B5CA8F47BB1EF3CE441C712
                                                                            Function 00007FFE1157BDB0 Relevance: .3, Instructions: 262COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 626452242-0
                                                                            • Opcode ID: 0c3df8bffa3a742d2be1b599f3070071ca019e9ef336d73c273143502260e25c
                                                                            • Instruction ID: 1b45cbbf09ae330c8a9cd7ea5b534231bf9612ed9cbcff9274041ecf466e60c2
                                                                            • Opcode Fuzzy Hash: 0c3df8bffa3a742d2be1b599f3070071ca019e9ef336d73c273143502260e25c
                                                                            • Instruction Fuzzy Hash: F4B1E423A0DBC581E7118B26A4153FE6BA4FB96B94F844275DF9D036AADF3CD144C710
                                                                            Function 664783E0 Relevance: .3, Instructions: 256COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a61c84ef316e62a40cea3762b1dd81ae494a742d4936afeb8b3a88eb4211ba1
                                                                            • Instruction ID: 78d4d89fdd1bb7a967279bdfdb12a8499dd3288834fff84b94601cee7004f8aa
                                                                            • Opcode Fuzzy Hash: 9a61c84ef316e62a40cea3762b1dd81ae494a742d4936afeb8b3a88eb4211ba1
                                                                            • Instruction Fuzzy Hash: 2EA15633B196809BC766CF2DD440B8D3FA1F386BD8F689026DB4A47795CA3AC596C701
                                                                            Function 00007FFE11598F20 Relevance: .2, Instructions: 229COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a846dba49851ff8f977dc0cf51db2c9d6277ea8ddd50718e24de21e0e9a0d317
                                                                            • Instruction ID: 5b9da09a3fd321af9c22ae1c28b9ad98300004c3f59e4ca2bf9523ba7344afae
                                                                            • Opcode Fuzzy Hash: a846dba49851ff8f977dc0cf51db2c9d6277ea8ddd50718e24de21e0e9a0d317
                                                                            • Instruction Fuzzy Hash: B3911A727242918FC768CF29E55465EBBE5F388790B149129EB8AC3F64E73DE8518F00
                                                                            Function 6639C36C Relevance: .2, Instructions: 220COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 856733a1a85329396a5354fa6606c4d0ff5b48c27c8a5d9606b7ced5dc1b10c3
                                                                            • Instruction ID: 27097cb9acd33493487022fbc3bd668a566f16c12761e14edfce2feb2cc78790
                                                                            • Opcode Fuzzy Hash: 856733a1a85329396a5354fa6606c4d0ff5b48c27c8a5d9606b7ced5dc1b10c3
                                                                            • Instruction Fuzzy Hash: E07112B3F1166887EB25DB29D418AAC33E5F315701B418612DA5883B81F376C9E4DFA1
                                                                            Function 00007FFE1157C570 Relevance: .2, Instructions: 217COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d064827428ac469a2f9e64892a3db8cb746b0d9c2e0a34aa59d476054111a106
                                                                            • Instruction ID: 2b465e3ab1cfa60f8686115d388b1b9035a717232b7c33c5c4cbb100218d67b5
                                                                            • Opcode Fuzzy Hash: d064827428ac469a2f9e64892a3db8cb746b0d9c2e0a34aa59d476054111a106
                                                                            • Instruction Fuzzy Hash: 91B1B523A0CBD186E7128B35D5102EEBBB4F75E758F45A151EFCC16A6ADB2CE194CB00
                                                                            Function 00007FFE1157C230 Relevance: .2, Instructions: 211COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8414ebbc79be131ae735677a9d52d285d12a36de52a91b2f229a7ebebccf078a
                                                                            • Instruction ID: f26c40e08c41fb282eb0ac672d207b3e12432545cb9da4919012d034d7759b06
                                                                            • Opcode Fuzzy Hash: 8414ebbc79be131ae735677a9d52d285d12a36de52a91b2f229a7ebebccf078a
                                                                            • Instruction Fuzzy Hash: D1A12432A18AC586EB01CF29D8416ED7764FB69798F811221EF8D57669EF3CE685C300
                                                                            Function 00007FFE115905C6 Relevance: .2, Instructions: 211COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c291a743b1555b88b02f0302e6d62541699fe1794ab181171111a31e6136fe4c
                                                                            • Instruction ID: de8aecea81ad17d4caa21f63bd1d1ed94c2bb6114062d15862fa232c45770e73
                                                                            • Opcode Fuzzy Hash: c291a743b1555b88b02f0302e6d62541699fe1794ab181171111a31e6136fe4c
                                                                            • Instruction Fuzzy Hash: 1B818D72F106508FE708CF7AD4945AC3BFAB748758B24952ADE0AA7B68D739D841CB40
                                                                            Function 00007FFE11591730 Relevance: .2, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 54360048bf97f6cf859f320f592fa66b229d0917a58fc83877b8c4ecc531353a
                                                                            • Instruction ID: cb3a158a00f2ed77a436cd17151c4c38529f9c6e72435aaa2e6dfb5ad83fb982
                                                                            • Opcode Fuzzy Hash: 54360048bf97f6cf859f320f592fa66b229d0917a58fc83877b8c4ecc531353a
                                                                            • Instruction Fuzzy Hash: 4191B8015093E0ABD71B863571406FB7FF4A3E220EF499249EAC3422A6C73DA615B722
                                                                            Function 00007FFE115923D0 Relevance: .2, Instructions: 204COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dd6a52521abb6b5b93ff95b69e71b96a19dc1227ed373806b0cae10d5dc3fdf0
                                                                            • Instruction ID: 0be6ca69b23afd240a3703a4a1d415cb4a5074d9320d51f9506f6c8c5c99e017
                                                                            • Opcode Fuzzy Hash: dd6a52521abb6b5b93ff95b69e71b96a19dc1227ed373806b0cae10d5dc3fdf0
                                                                            • Instruction Fuzzy Hash: C7914A63A0E5D04AD7468B3680A10FD3FF4D71A3D874981ABDBDA225A7C92CD249CB52
                                                                            Function 6639C0D8 Relevance: .2, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 27ad618eb9b1097a4f418d6bc4fd1984f0cefd266efd7dbcaf610724ebee41d3
                                                                            • Instruction ID: 2884b93f0c22b045be001def4af2b9ee033c6d921072101dbee65621cc6946b5
                                                                            • Opcode Fuzzy Hash: 27ad618eb9b1097a4f418d6bc4fd1984f0cefd266efd7dbcaf610724ebee41d3
                                                                            • Instruction Fuzzy Hash: D161FC77721268C7D7218B34D89996837A9F716341B528231D66483BC1F77BC898CFA1
                                                                            Function 00007FFE11591AE0 Relevance: .2, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2d2069e557bba6428e8535167ffcfc5bcf7f3104bb87cd52ee266ca749ec59a1
                                                                            • Instruction ID: a35e5b87c44e9f41ec881ae7d443622a9d4f48586f07b16a6c13134cfeddc1b0
                                                                            • Opcode Fuzzy Hash: 2d2069e557bba6428e8535167ffcfc5bcf7f3104bb87cd52ee266ca749ec59a1
                                                                            • Instruction Fuzzy Hash: 3A913D1350C6E48ADB118B3980A02BDBFB0F35A74CB5C8197E7D983667D62DD36ACB11
                                                                            Function 00007FFE1158B2F0 Relevance: .2, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CreateEventSemaphore$CriticalErrorInitializeLastObjectReleaseResetSectionSingleWait
                                                                            • String ID:
                                                                            • API String ID: 4242461879-0
                                                                            • Opcode ID: eaa0a083dd77031dbe9adc75f13d4a343d786a860beecfa6b6c06bc7876dde3a
                                                                            • Instruction ID: 796a6a9b8bcd4c497cf055de41f5a7c735b1929f835e3009697fdc62d5e59c83
                                                                            • Opcode Fuzzy Hash: eaa0a083dd77031dbe9adc75f13d4a343d786a860beecfa6b6c06bc7876dde3a
                                                                            • Instruction Fuzzy Hash: D2513722B24E5587EB68DB17E941BBA265EFB84794F448075CE0E07BB4DE3CE4818740
                                                                            Function 6635244C Relevance: .2, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: aa15758c655ccc8691330481d56e95ffcf081d3a0e4508544ac3e02441246f7c
                                                                            • Instruction ID: ff26556b93f25fe20dedc62de55da44e440258582ab72a15c22d7cb004c27ed9
                                                                            • Opcode Fuzzy Hash: aa15758c655ccc8691330481d56e95ffcf081d3a0e4508544ac3e02441246f7c
                                                                            • Instruction Fuzzy Hash: 6D51C363B1074585DB11CA368AA0B6E6251FBC4B99F474131CEDE8B348DF39D496C3A1
                                                                            Function 00007FFE1159BC00 Relevance: .2, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fad7abcfd1bff4c0a93975b41074c4948ea51e7dc0455f782c7733455f62cb3e
                                                                            • Instruction ID: 1dc89ff0e4938a4fe6f168c7f1d11a3ee6deb6d9076b3c3fcf8c05ddee486182
                                                                            • Opcode Fuzzy Hash: fad7abcfd1bff4c0a93975b41074c4948ea51e7dc0455f782c7733455f62cb3e
                                                                            • Instruction Fuzzy Hash: FF51D5B2B085458BE75C8B1DD458F7C37A9F744754F64803AD64B87BA0CA3DE846CB42
                                                                            Function 00007FFE1159027A Relevance: .1, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e8830dbd3c8270c4c22ca44e5b0ce5d1f5a09c4860bcd63f45322ee96d73009
                                                                            • Instruction ID: 3eda4550d866d4140b8adcf2c73d971aaf884922c48c0deaf0d7cefc91bde829
                                                                            • Opcode Fuzzy Hash: 0e8830dbd3c8270c4c22ca44e5b0ce5d1f5a09c4860bcd63f45322ee96d73009
                                                                            • Instruction Fuzzy Hash: 9F51BD33A189E18AF705CB2684006BD3FAAF786758B521275CF4B57B90CA38D506DF20
                                                                            Function 66458150 Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1d45d73f0db0a05c3b6d09b3a17c5c3cbe8b59744b000390ec6c95c4791a4fcf
                                                                            • Instruction ID: 7cfb3baffbcd2fdf2c77e0c297e713fcc531de70d0dd29d980e1333286e88544
                                                                            • Opcode Fuzzy Hash: 1d45d73f0db0a05c3b6d09b3a17c5c3cbe8b59744b000390ec6c95c4791a4fcf
                                                                            • Instruction Fuzzy Hash: 3B51F0B72242E48BD310CF2A98542AE7FE0F399B85F55942AEFD693741DA3DD460CB40
                                                                            Function 00007FFE11571000 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7762b93ce916899f84507c5a8bf8cdfa0b698a1787586b83af1f40661c7069c7
                                                                            • Instruction ID: 3d53053889641c62bc0d7148126d32bf20ea0a03591ab690f0c17431831b5f81
                                                                            • Opcode Fuzzy Hash: 7762b93ce916899f84507c5a8bf8cdfa0b698a1787586b83af1f40661c7069c7
                                                                            • Instruction Fuzzy Hash: 0A418EB6A201A64BCB8CDE16D066AB93755E395301F94823EDF5743BC0CB3A4664CF61
                                                                            Function 00007FFE1157B1A0 Relevance: .1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 35683e67f8c2f244f7dc4ed2427cee75ff94a42cf8a2510b7e2629d598c7efe7
                                                                            • Instruction ID: 507d657f050c65436b1b627cb43a3a5336a347f387deb3dd4a355d7b7322e79e
                                                                            • Opcode Fuzzy Hash: 35683e67f8c2f244f7dc4ed2427cee75ff94a42cf8a2510b7e2629d598c7efe7
                                                                            • Instruction Fuzzy Hash: DF51D523B286E04DF361877650216BD3FF4E70E349B8520A6EFD5AAD85DA3DC250DB50
                                                                            Function 6647A1B0 Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 13c4fbaff9d3d585e978e5b3415f5203a9ae84591111c3dbba176813c03727d5
                                                                            • Instruction ID: 59f34e7ab7d53118a1c19631672ea643329e16381b953bf0a9d44ea32809cd3d
                                                                            • Opcode Fuzzy Hash: 13c4fbaff9d3d585e978e5b3415f5203a9ae84591111c3dbba176813c03727d5
                                                                            • Instruction Fuzzy Hash: B45184739101609FD386DF39E9C8EAA73A5F70438EF828B15DF4267884C628E562D790
                                                                            Function 00007FFE1159B940 Relevance: .1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf47b96c682d87b4cf38130dac83b2b2c2402fbbfd8d2dcc6b8c40512e5395a9
                                                                            • Instruction ID: 59e889aa6fb2f27bcc604901f266be7ddd2fcaf64369d82df1cf30c5ba89d0bc
                                                                            • Opcode Fuzzy Hash: cf47b96c682d87b4cf38130dac83b2b2c2402fbbfd8d2dcc6b8c40512e5395a9
                                                                            • Instruction Fuzzy Hash: 9E414A73A04A498BEB04CF67E8006BE77D8EB85765F488075EE0A87761DE7CD482CB10
                                                                            Function 00007FFE1157A9D0 Relevance: .1, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2fefaf8f31a22b020a254c836ddf354618f6132c6dc1984a0d2bc814ab9d1951
                                                                            • Instruction ID: cd9d2751fe137b5668a673495e6125d8de38e23ef9d6cbe578196b6437d807f4
                                                                            • Opcode Fuzzy Hash: 2fefaf8f31a22b020a254c836ddf354618f6132c6dc1984a0d2bc814ab9d1951
                                                                            • Instruction Fuzzy Hash: 2341D6736342E48BE35ACF19A5186AA3398F39834AF8A5125FF85837D5CA3CF904C750
                                                                            Function 6646A1C0 Relevance: .1, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d1421bd1e04b78afe0c8d4de7cb70a88f11c1192b5e03a42934934d882fda821
                                                                            • Instruction ID: 54c53ba3fae92aa56b2d9970c0c05d42280d80fef90d74216a952ff1f167df6e
                                                                            • Opcode Fuzzy Hash: d1421bd1e04b78afe0c8d4de7cb70a88f11c1192b5e03a42934934d882fda821
                                                                            • Instruction Fuzzy Hash: 1231A472A14A9087C719CF2EE49069C77B1F389B8CF584229DF5A83758DB39D591CB00
                                                                            Function 00007FFE11590940 Relevance: .1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0dffb2629ee88ded9dfb8b162325abaa0fdbdd1cc9c8df04347e52c0a478c7dc
                                                                            • Instruction ID: 2c247d629f54941674bd62792c09e5ebabfc6da81d15d27373cf7d4a93832d51
                                                                            • Opcode Fuzzy Hash: 0dffb2629ee88ded9dfb8b162325abaa0fdbdd1cc9c8df04347e52c0a478c7dc
                                                                            • Instruction Fuzzy Hash: AD217B72E24EC646EB068B3E805217DA755EFE6794B14D772D75A633A2EF2CA4D08200
                                                                            Function 6647A330 Relevance: .1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 23d2cde584cd8c376f53159015a117d74e34008cab9628a68184a4ee059c4389
                                                                            • Instruction ID: 8f8d9de0135d51c4799fbabc7525b4480e45ed1da1726ded205799361597645f
                                                                            • Opcode Fuzzy Hash: 23d2cde584cd8c376f53159015a117d74e34008cab9628a68184a4ee059c4389
                                                                            • Instruction Fuzzy Hash: C831F963B726B882F7C2BF26C464B6D2354F3443A2FE66117DE8913385D934D805D390
                                                                            Function 66472260 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 95c55dd4530de29bafdcd55e89ef9ddc2230651d41d1a88a2fcacafd83e84a92
                                                                            • Instruction ID: fffdd54e7f6f563b3a3cb7801231b88a42ce0f7c1ed19a68fc1777f10284d395
                                                                            • Opcode Fuzzy Hash: 95c55dd4530de29bafdcd55e89ef9ddc2230651d41d1a88a2fcacafd83e84a92
                                                                            • Instruction Fuzzy Hash: 9A4140B2505F8086D758CF25E88438D77F8FB49B88F188139DB8C9B728EB7584A5C764
                                                                            Function 00007FFE1158B540 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1d14ef595ca4090e6378606dc41abe2d360b15b990a4df0c3623dcfb942cb3de
                                                                            • Instruction ID: a53c0034b4ce28820aed9bd8d64d1feb8dbb87eb883e058b2f0793bae3cfdbe7
                                                                            • Opcode Fuzzy Hash: 1d14ef595ca4090e6378606dc41abe2d360b15b990a4df0c3623dcfb942cb3de
                                                                            • Instruction Fuzzy Hash: B9118736B2891603FB6E84276920FB524895FE1356F4CA174DD0B86FF1FD6EBD808600
                                                                            Function 00007FFE1157ABC0 Relevance: .1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3e79192166d72f73dc3f75b9b73101054cb38332d2a7fa7bcc43414c8b52aa24
                                                                            • Instruction ID: ee9183a4aa71c2785621ea7c8781c02b751668ea5af73c532169b77f433a56c5
                                                                            • Opcode Fuzzy Hash: 3e79192166d72f73dc3f75b9b73101054cb38332d2a7fa7bcc43414c8b52aa24
                                                                            • Instruction Fuzzy Hash: 2411133A310A8A0BEF5DC42985627AA61C317C4341FC0C438AE8FCB7D6FF7A88564585
                                                                            Function 66476410 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 021b21dd7af2620adbdb44792c77cc851b70724404d2d08c5b6b5d71b93712f9
                                                                            • Instruction ID: 462d6a930bf60122ae7ac741201b33285d621e36d34349cdc3769d8a841bace1
                                                                            • Opcode Fuzzy Hash: 021b21dd7af2620adbdb44792c77cc851b70724404d2d08c5b6b5d71b93712f9
                                                                            • Instruction Fuzzy Hash: F8016166B05A54829B24CF2AE05088EA762F789FF47941B15DEBC17BD9CB39C442C748
                                                                            Function 00007FFE115B2110 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5ba9f16cac562973b6c29f57ac51b1fc22ad70941f87b07427bd4638023fb9ca
                                                                            • Instruction ID: 328b5c7e9268a43541c59723cce42b3d37a7f3d3ef9db1393d9263909c30e972
                                                                            • Opcode Fuzzy Hash: 5ba9f16cac562973b6c29f57ac51b1fc22ad70941f87b07427bd4638023fb9ca
                                                                            • Instruction Fuzzy Hash: 21F068727186559AEB948F29A84262A77E8F7483D0FD08079D68DC3B74D67C90518F44
                                                                            Function 663FC0C0 Relevance: 69.4, APIs: 28, Strings: 18, Instructions: 436COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 8230 663fc0c0-663fc113 8231 663fc14d-663fc151 8230->8231 8232 663fc115-663fc125 8230->8232 8233 663fc157-663fc165 call 66341ffc 8231->8233 8234 663fc544-663fc548 8231->8234 8235 663fc127-663fc12a 8232->8235 8236 663fc133-663fc136 8232->8236 8247 663fc20c 8233->8247 8248 663fc16b-663fc175 8233->8248 8240 663fc54a-663fc54e 8234->8240 8241 663fc554-663fc5bd call 663f6664 call 663420d8 8234->8241 8237 663fc148-663fc14a 8235->8237 8242 663fc12c-663fc131 8235->8242 8236->8237 8238 663fc138-663fc13e 8236->8238 8237->8231 8238->8237 8243 663fc140-663fc146 8238->8243 8240->8241 8245 663fc6c0 8240->8245 8273 663fc5c2-663fc5c6 8241->8273 8242->8235 8242->8236 8243->8237 8243->8238 8250 663fc6c3-663fc6c9 8245->8250 8255 663fc214-663fc218 8247->8255 8253 663fc1ca-663fc1d2 8248->8253 8254 663fc177-663fc179 8248->8254 8251 663fc6cf-663fc6d6 8250->8251 8252 663fc792-663fc79b call 663fbc34 8250->8252 8257 663fc6ed-663fc703 call 663420d8 8251->8257 8258 663fc6d8-663fc6e8 call 6634231c 8251->8258 8271 663fc7a0-663fc7b3 8252->8271 8259 663fc1f0-663fc1f3 8253->8259 8260 663fc17b-663fc17e 8254->8260 8261 663fc1d4-663fc1dc 8254->8261 8263 663fc22f-663fc23c 8255->8263 8264 663fc21a-663fc22a call 663fb818 8255->8264 8289 663fc717-663fc748 call 6634221c call 6647a1c0 call 6634144c call 6634221c 8257->8289 8290 663fc705-663fc715 call 6634221c 8257->8290 8288 663fc780-663fc78d call 663422d8 8258->8288 8259->8255 8268 663fc1f5-663fc20a call 663fb818 8259->8268 8269 663fc1de-663fc1e6 8260->8269 8270 663fc180-663fc182 8260->8270 8261->8259 8274 663fc23e-663fc27e call 66341ffc call 66342d00 call 663fb818 free 8263->8274 8275 663fc283-663fc287 8263->8275 8264->8263 8268->8255 8269->8259 8282 663fc1e8 8270->8282 8283 663fc184-663fc18e 8270->8283 8284 663fc5c8-663fc5d1 8273->8284 8285 663fc5d3-663fc5d8 8273->8285 8274->8275 8279 663fc29e-663fc2a2 8275->8279 8280 663fc289-663fc299 call 663fbae8 8275->8280 8293 663fc2b9-663fc2e7 call 663fbae8 * 2 8279->8293 8294 663fc2a4-663fc2b4 call 663fbae8 8279->8294 8280->8279 8282->8259 8295 663fc192-663fc197 8283->8295 8286 663fc5dc-663fc5e3 8284->8286 8285->8286 8296 663fc626-663fc62b 8286->8296 8297 663fc5e5-663fc60b call 663fbc34 8286->8297 8288->8252 8317 663fc74d-663fc750 8289->8317 8290->8317 8327 663fc2ef 8293->8327 8328 663fc2e9-663fc2ed 8293->8328 8294->8293 8304 663fc199-663fc1a6 8295->8304 8305 663fc1c0-663fc1c8 8295->8305 8296->8273 8308 663fc62d-663fc6be free * 5 8296->8308 8323 663fc62f 8297->8323 8324 663fc60d-663fc624 call 663fbbb0 8297->8324 8304->8295 8312 663fc1a8-663fc1b1 8304->8312 8305->8259 8308->8250 8312->8259 8313 663fc1b3-663fc1be 8312->8313 8313->8259 8321 663fc777-663fc77b call 66343208 8317->8321 8322 663fc752-663fc75c 8317->8322 8321->8288 8322->8321 8329 663fc75e-663fc775 call 6634213c 8322->8329 8332 663fc634-663fc672 free * 5 8323->8332 8324->8296 8342 663fc631 8324->8342 8335 663fc2f2-663fc2fa 8327->8335 8328->8327 8328->8335 8329->8288 8332->8271 8339 663fc32d-663fc338 8335->8339 8340 663fc2fc-663fc301 8335->8340 8345 663fc34f-663fc35a 8339->8345 8346 663fc33a-663fc34a call 663fb910 8339->8346 8343 663fc318-663fc328 call 663fb910 8340->8343 8344 663fc303-663fc306 8340->8344 8342->8332 8343->8339 8344->8339 8347 663fc308-663fc30c 8344->8347 8350 663fc35c-663fc36c call 663fb910 8345->8350 8351 663fc371-663fc375 8345->8351 8346->8345 8347->8343 8355 663fc30e-663fc311 8347->8355 8350->8351 8353 663fc38c-663fc390 8351->8353 8354 663fc377-663fc387 call 663fb818 8351->8354 8357 663fc3a7-663fc3b1 8353->8357 8358 663fc392-663fc3a2 call 663fb818 8353->8358 8354->8353 8355->8339 8359 663fc313-663fc316 8355->8359 8361 663fc3b7-663fc450 call 663f6664 call 663420d8 call 663fbc34 8357->8361 8362 663fc531-663fc53f free 8357->8362 8358->8357 8359->8339 8359->8343 8369 663fc452-663fc48e free * 5 8361->8369 8370 663fc490-663fc4a6 call 663fbbb0 8361->8370 8362->8250 8371 663fc4e4-663fc4f0 free 8369->8371 8374 663fc4a8-663fc4e3 free * 5 8370->8374 8375 663fc4f5-663fc530 free * 5 8370->8375 8371->8271 8374->8371 8375->8362
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: @PathCut/_pc_$L$PaxHeader/@PaxHeader$atime$crc32/$ctime$devmajor$devminor$gid$gname$linkpath$mtime$path$root$size$uid$uname$ustar
                                                                            • API String ID: 1294909896-580915693
                                                                            • Opcode ID: 16d5dc3d49595b453a05baf98a30575b6c175a0efd97349e649441b4ee0df17c
                                                                            • Instruction ID: 3fcfb264f299124923566d065ecc09738d73cd396ab1e8c58634c2639ac73388
                                                                            • Opcode Fuzzy Hash: 16d5dc3d49595b453a05baf98a30575b6c175a0efd97349e649441b4ee0df17c
                                                                            • Instruction Fuzzy Hash: E002E7736686C195CB20DF29EC5039F7B61F395B88F805122DACE47A29DF3AC55ACB40
                                                                            Function 6640275C Relevance: 55.9, APIs: 6, Strings: 31, Instructions: 405COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 9959 6640275c-664027bc call 66342858 call 66342c64 call 6634359c 9966 664027c2 9959->9966 9967 664028fe-6640291c call 66342c64 call 6634359c 9959->9967 9968 664027c5-664027c8 9966->9968 9978 66402a80-66402a9e call 66342c64 call 6634359c 9967->9978 9979 66402922 9967->9979 9970 664027d2-66402805 call 66401e68 * 2 9968->9970 9971 664027ca-664027cd call 6634359c 9968->9971 9987 66402807-66402816 call 66401e68 9970->9987 9988 6640281b-664028f8 call 66401e2c call 66402194 call 66342c20 free call 6634359c call 66401e2c call 664021cc call 66342c20 free call 6634359c call 66401e2c call 66401b14 call 6634359c call 66401e2c call 66401b14 call 66401f60 call 6634359c 9970->9988 9971->9970 9998 66402e03-66402e16 9978->9998 9999 66402aa4 9978->9999 9982 66402925-66402928 9979->9982 9985 66402932-66402965 call 66401e68 * 2 9982->9985 9986 6640292a-6640292d call 6634359c 9982->9986 10007 66402967-66402979 call 66401e68 9985->10007 10008 6640297e-66402a14 call 66401e2c call 66401b14 call 6634359c call 66401e2c call 66401b14 call 66401f60 call 6634359c call 66401e2c call 66348530 call 66342c64 free call 6634359c 9985->10008 9986->9985 9987->9988 9988->9967 9988->9968 10002 66402aa7-66402aaa 9999->10002 10005 66402ab4-66402abf 10002->10005 10006 66402aac-66402aaf call 6634359c 10002->10006 10011 66402ac1-66402ace call 66401e68 10005->10011 10012 66402ad3-66402b8b call 66401e2c call 664021cc call 66342c20 free call 6634359c call 66401e68 call 66401ec8 call 66401e2c call 66401b14 call 66401f60 call 6634359c call 66342c64 call 6634359c 10005->10012 10006->10005 10022 66402a19-66402a7a call 66401e2c call 66343304 call 6634359c call 66401e2c call 66343304 call 6634359c 10007->10022 10008->10022 10011->10012 10098 66402cb1-66402ccf call 66342c64 call 6634359c 10012->10098 10099 66402b91-66402b93 10012->10099 10022->9978 10022->9982 10111 66402df4-66402dfd 10098->10111 10112 66402cd5-66402cd8 10098->10112 10100 66402b95-66402b98 call 6634359c 10099->10100 10101 66402b9d-66402bfc call 66401e94 * 4 10099->10101 10100->10101 10123 66402c02-66402c60 call 66401e94 call 66342c64 call 66401e2c call 66401b14 call 66342858 call 66401b80 10101->10123 10124 66402c9e-66402ca8 10101->10124 10111->9998 10111->10002 10114 66402ce2-66402deb call 66342c64 call 66401e68 call 66342c64 call 66401e68 call 66342c64 call 66401e2c call 664021cc call 66342c20 free call 6634359c call 664022f0 * 3 call 66342c64 call 66401ec8 10112->10114 10115 66402cda-66402cdd call 6634359c 10112->10115 10114->10112 10171 66402df1 10114->10171 10115->10114 10152 66402c62-66402c79 call 66342c64 call 66342c20 10123->10152 10153 66402c7e-66402c99 call 66401f60 free call 6634359c 10123->10153 10124->10099 10128 66402cae 10124->10128 10128->10098 10152->10153 10153->10124 10171->10111
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: File Sets:$ Partition Maps:$AbstractId$AccessType$ApplicationId$BlockSize$ContentsId$CopyrightId$DomainId$FileSetDescNumber$FileSetNumber$ImplementationId$IsMetadata$Logical Volumes:$LogicalVolumeId$MaximumVolumeSequenceNumber$MetadataFileLocation$Number$PartitionIndex$PartitionMap$PartitionNumber$PartitionTypeId$Partitions:$Pos$Primary Volumes:$PrimaryVolumeDescriptorNumber$Size$Type$VolumeId$VolumeSequenceNumber$VolumeSetId
                                                                            • API String ID: 1294909896-3952546333
                                                                            • Opcode ID: dfa0931e01cfb5529b55a04ee712b6a62ba784dd22bb4daed175266757fa3a7b
                                                                            • Instruction ID: 1d1dda16f93ed6179249e8199222d57ff7d5fa6c3a73ec9fb8413744e689adb4
                                                                            • Opcode Fuzzy Hash: dfa0931e01cfb5529b55a04ee712b6a62ba784dd22bb4daed175266757fa3a7b
                                                                            • Instruction Fuzzy Hash: 6DF1B461304A5091DE14EB26DFD0BBE6B63EB89BCCF805125CD4A1BB18DF7AC546C781
                                                                            Function 663FA10C Relevance: 43.8, APIs: 18, Strings: 11, Instructions: 329stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 11125 663fa10c-663fa198 call 66341ffc * 2 11130 663fa19e-663fa1a0 11125->11130 11131 663fa5c0-663fa5cb free 11125->11131 11133 663fa1a3-663fa1a6 11130->11133 11132 663fa5cd-663fa5e9 free 11131->11132 11134 663fa1ac-663fa1b1 11133->11134 11135 663fa5b3-663fa5be free 11133->11135 11134->11135 11136 663fa1b7-663fa1ba 11134->11136 11135->11132 11137 663fa1bc-663fa1c1 11136->11137 11138 663fa1c3-663fa1c5 11136->11138 11137->11133 11139 663fa57f-663fa58a free 11138->11139 11140 663fa1cb-663fa1f2 call 66344ce4 11138->11140 11139->11132 11143 663fa1f8-663fa1fe 11140->11143 11144 663fa5a6-663fa5b1 free 11140->11144 11143->11144 11145 663fa204-663fa209 11143->11145 11144->11132 11145->11144 11146 663fa20f-663fa219 11145->11146 11146->11144 11147 663fa21f-663fa227 11146->11147 11148 663fa23f-663fa243 11147->11148 11149 663fa229 11147->11149 11151 663fa257-663fa259 11148->11151 11152 663fa245 11148->11152 11150 663fa22d-663fa22f 11149->11150 11155 663fa58c-663fa597 free 11150->11155 11156 663fa235-663fa23d 11150->11156 11153 663fa25f-663fa29a call 6634231c * 2 11151->11153 11154 663fa599-663fa5a4 free 11151->11154 11157 663fa249-663fa24c 11152->11157 11163 663fa52b-663fa52e 11153->11163 11164 663fa2a0-663fa2b3 strcmp 11153->11164 11154->11132 11155->11132 11156->11148 11156->11150 11157->11151 11158 663fa24e-663fa255 11157->11158 11158->11151 11158->11157 11167 663fa55c-663fa577 11163->11167 11168 663fa530-663fa542 11163->11168 11165 663fa2d5-663fa2e8 strcmp 11164->11165 11166 663fa2b5-663fa2b8 11164->11166 11174 663fa30a-663fa31d strcmp 11165->11174 11175 663fa2ea-663fa2ed 11165->11175 11170 663fa2be-663fa2d0 call 6634213c 11166->11170 11171 663fa2ba 11166->11171 11167->11130 11169 663fa57d 11167->11169 11172 663fa558 11168->11172 11173 663fa544-663fa556 call 663422d8 11168->11173 11169->11131 11170->11167 11171->11170 11172->11167 11173->11167 11176 663fa33f-663fa352 strcmp 11174->11176 11177 663fa31f-663fa322 11174->11177 11180 663fa2ef 11175->11180 11181 663fa2f3-663fa305 call 6634213c 11175->11181 11185 663fa377-663fa38a strcmp 11176->11185 11186 663fa354-663fa357 11176->11186 11183 663fa328-663fa33a call 6634213c 11177->11183 11184 663fa324 11177->11184 11180->11181 11181->11167 11183->11167 11184->11183 11189 663fa3cd-663fa3e0 strcmp 11185->11189 11190 663fa38c-663fa38f 11185->11190 11193 663fa35d-663fa372 call 6634213c 11186->11193 11194 663fa359 11186->11194 11197 663fa41d-663fa430 strcmp 11189->11197 11198 663fa3e2-663fa3e5 11189->11198 11195 663fa395-663fa399 11190->11195 11196 663fa391 11190->11196 11193->11167 11194->11193 11203 663fa39f-663fa3be call 66344ce4 11195->11203 11204 663fa527 11195->11204 11196->11195 11201 663fa432-663fa435 11197->11201 11202 663fa471-663fa484 strcmp 11197->11202 11205 663fa3eb-663fa3ef 11198->11205 11206 663fa3e7 11198->11206 11208 663fa43b-663fa442 11201->11208 11209 663fa437 11201->11209 11211 663fa49c-663fa4af strcmp 11202->11211 11212 663fa486-663fa497 call 663f9fac 11202->11212 11203->11204 11223 663fa3c4-663fa3c8 11203->11223 11204->11163 11205->11204 11213 663fa3f5-663fa40e call 66344ce4 11205->11213 11206->11205 11208->11204 11214 663fa448-663fa462 call 66344d84 11208->11214 11209->11208 11217 663fa4c5-663fa4d8 strcmp 11211->11217 11218 663fa4b1-663fa4c3 call 663f9fac 11211->11218 11230 663fa523-663fa525 11212->11230 11213->11204 11232 663fa414-663fa418 11213->11232 11214->11204 11236 663fa468-663fa46c 11214->11236 11220 663fa4ee-663fa501 strcmp 11217->11220 11221 663fa4da-663fa4ec call 663f9fac 11217->11221 11218->11230 11220->11163 11228 663fa503-663fa506 11220->11228 11221->11230 11223->11167 11234 663fa50c-663fa521 call 6634213c 11228->11234 11235 663fa508 11228->11235 11230->11167 11230->11204 11232->11167 11234->11167 11235->11234 11236->11167
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: strcmp$free
                                                                            • String ID: SCHILY.fflags$atime$ctime$gid$gname$linkpath$mtime$path$size$uid$uname
                                                                            • API String ID: 3401341699-1902728757
                                                                            • Opcode ID: dba7254ed9d2af567a113fa21fa4dc0e6c5e1dafdf0c1cf1d28e3f21e419e31c
                                                                            • Instruction ID: 2c432f75052f1f984472ab277d0fc78b7efde7d52234cbf9bf3f5b4f8b96d984
                                                                            • Opcode Fuzzy Hash: dba7254ed9d2af567a113fa21fa4dc0e6c5e1dafdf0c1cf1d28e3f21e419e31c
                                                                            • Instruction Fuzzy Hash: CBD1E1A366C6C0EBDB10DB28E98029D7BA1F392748F841126C7CD47A55DBB7C4AEC741
                                                                            Function 66346518 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 394COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 66342894: memmove.MSVCRT ref: 663428CC
                                                                            • free.MSVCRT ref: 663466A6
                                                                            • free.MSVCRT ref: 663466D6
                                                                            • free.MSVCRT ref: 663466E1
                                                                            • free.MSVCRT ref: 663466F6
                                                                            • free.MSVCRT ref: 663467A3
                                                                              • Part of subcall function 66346518: SetLastError.KERNEL32 ref: 66346706
                                                                              • Part of subcall function 66346518: free.MSVCRT ref: 66346712
                                                                              • Part of subcall function 66346518: free.MSVCRT ref: 6634671D
                                                                              • Part of subcall function 66346518: free.MSVCRT ref: 66346732
                                                                              • Part of subcall function 66346518: free.MSVCRT ref: 663467B4
                                                                              • Part of subcall function 66346518: free.MSVCRT ref: 663467BF
                                                                            • free.MSVCRT ref: 66346776
                                                                            • free.MSVCRT ref: 66346781
                                                                            • free.MSVCRT ref: 66346796
                                                                            • wcscmp.MSVCRT ref: 663469DE
                                                                            • free.MSVCRT ref: 663469FE
                                                                            • free.MSVCRT ref: 66346A45
                                                                              • Part of subcall function 663429BC: free.MSVCRT ref: 663429F6
                                                                              • Part of subcall function 663429BC: memmove.MSVCRT ref: 66342A11
                                                                            • free.MSVCRT ref: 66346A81
                                                                              • Part of subcall function 66346120: FindClose.KERNEL32 ref: 66346132
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$memmove$CloseErrorFindLastwcscmp
                                                                            • String ID: :$DATA
                                                                            • API String ID: 2757989841-2587938151
                                                                            • Opcode ID: 62d7b1bff45766bb011efd62bc08760d15673b7e32fc0b1a4535b9d3bb3bc2dc
                                                                            • Instruction ID: 26884e238df699a5feb77f285d56f59a2fe06002ca8cdbf48f0a6bdf013b2211
                                                                            • Opcode Fuzzy Hash: 62d7b1bff45766bb011efd62bc08760d15673b7e32fc0b1a4535b9d3bb3bc2dc
                                                                            • Instruction Fuzzy Hash: 48F1D47254868096CB20EF26D99025EFBF0F796784F408226D7DE87A68DF39D569CB00
                                                                            Function 663665C8 Relevance: 30.4, APIs: 19, Strings: 1, Instructions: 442stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$memmovestrcmp
                                                                            • String ID: TRAILER!!!
                                                                            • API String ID: 608483625-1266755072
                                                                            • Opcode ID: 9f28975bbbccc61dd4531f5450c694053f3f1b03685f557f834563c510d99622
                                                                            • Instruction ID: 6f0de1d722e18198c8fc865ad48925e0cebdc4211e3de8d8ee7cd8ea16a6443b
                                                                            • Opcode Fuzzy Hash: 9f28975bbbccc61dd4531f5450c694053f3f1b03685f557f834563c510d99622
                                                                            • Instruction Fuzzy Hash: C3028272A18A80C6CB20DF27E49065DB7F5F386BC8F104615DA9A87B1CDF3AC595CB42
                                                                            Function 663DE058 Relevance: 30.2, APIs: 2, Strings: 18, Instructions: 212COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MSVCRT ref: 663DE3D6
                                                                              • Part of subcall function 663DD9EC: free.MSVCRT ref: 663DDA8D
                                                                              • Part of subcall function 66347F88: _CxxThrowException.MSVCRT ref: 66347FCE
                                                                            • free.MSVCRT ref: 663DE289
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$ExceptionThrow
                                                                            • String ID: ,$7$Abstract$Application$Bib$Copyright$G$Incorrect big-endian headers$Preparer$Publisher$Self-linked directory$System$Too deep directory levels$Volume$VolumeSequenceNumber$VolumeSet$VolumeSetSize$VolumeSpaceSize
                                                                            • API String ID: 4001284683-140784582
                                                                            • Opcode ID: 24171f42d955cf042d043d57e8d23e1b54444b4be249bae821e40949e9f59ff7
                                                                            • Instruction ID: 8bf83a43b54e68e7c9ea4cb6e810b751309cdcad716b513991b042371da37b64
                                                                            • Opcode Fuzzy Hash: 24171f42d955cf042d043d57e8d23e1b54444b4be249bae821e40949e9f59ff7
                                                                            • Instruction Fuzzy Hash: 8C916063234AC5A2CB50EB24EC90AAFFB61FB9074CF805112E6DE47568DF7AC659C740
                                                                            Function 663B66A8 Relevance: 28.7, APIs: 1, Strings: 18, Instructions: 238COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: NO-XXH64$XXH64$content-size-frame-max$content-size-total$data-frames$decoded:$dictionary-ID:$different-dictionary-IDs$header-open-only:$parsed:$single-segments$skip-frames$skip-frames-size-total$unknown-content-size$unused_bit$wnd-MAX:$wnd-desc-log-MAX:$wnd-use-MAX:
                                                                            • API String ID: 0-2328309218
                                                                            • Opcode ID: 6068cae762dc7d0c1d459e1cc12ade8c21492c68a7e052940b98ffc4f77ae71f
                                                                            • Instruction ID: e7e566ad4de9b9c82607890bc3c20c40e13a26572bdc159f10b6768ad7b520fe
                                                                            • Opcode Fuzzy Hash: 6068cae762dc7d0c1d459e1cc12ade8c21492c68a7e052940b98ffc4f77ae71f
                                                                            • Instruction Fuzzy Hash: 25A1276370898566DE20DB26D9803AEB771F7A634CF848212D7CD43C69DF3AC659C740
                                                                            Function 6636A758 Relevance: 27.3, APIs: 5, Strings: 13, Instructions: 311COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: .dmg$CRC$Checksum$Master CRC error$Name$RSRC_MODE$blob$master-checksum$pack$pack-checksum$rsrc$unpack-size$xml
                                                                            • API String ID: 1294909896-3781194934
                                                                            • Opcode ID: c326855746cf1861024c17c01b24e6187a9a42cbc95a01c7afd41fb113c94e29
                                                                            • Instruction ID: c14b89ee7a2931a8717417bb1662d591c42dee75133b72babe9278eaf1218acc
                                                                            • Opcode Fuzzy Hash: c326855746cf1861024c17c01b24e6187a9a42cbc95a01c7afd41fb113c94e29
                                                                            • Instruction Fuzzy Hash: A1C1B27361899593CB20DF1AE89029EB7A1F7D5788F804216D6CEC3A6CDF39C55ACB40
                                                                            Function 00007FFE11582060 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                            • API String ID: 3668304517-727060406
                                                                            • Opcode ID: 3fcf7962b68b771c7cde0654cf5141341ab3556115516e97333b06af011fadc9
                                                                            • Instruction ID: b9fc6632d734337083a378d879e8f800912f3628a0a027d0043167d1d4bc9b23
                                                                            • Opcode Fuzzy Hash: 3fcf7962b68b771c7cde0654cf5141341ab3556115516e97333b06af011fadc9
                                                                            • Instruction Fuzzy Hash: B941F636B05F4199EB118B62E8802E937AAFB48768F414276DA5D13BB8EE3CD155C384
                                                                            Function 663CC104 Relevance: 26.3, APIs: 21, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: b990df81eca030f0d06f17458d9d5947195e694393337b07e50147314831ef6d
                                                                            • Instruction ID: 3fb30ab30220756cf037f805b65d0e51ef01c741ede5030017a3c4e64d03a7ac
                                                                            • Opcode Fuzzy Hash: b990df81eca030f0d06f17458d9d5947195e694393337b07e50147314831ef6d
                                                                            • Instruction Fuzzy Hash: EE21366265198481DA11FF36DC6136CA760FBA5F98F044232DEDD5B26EDF20CA65C310
                                                                            Function 663F60DC Relevance: 25.7, APIs: 2, Strings: 15, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: GNU$LongLink$LongName$OEM$PAX$PAX_GLOBAL_ERROR$PAX_ITEM$POSIX$SCHILY.fflags$UTF-8$atime$ctime$linkpath$mtime$path
                                                                            • API String ID: 1294909896-1288011472
                                                                            • Opcode ID: df977d0511e39b1654c886300f833716db2437b8362aa7719a8a5087a7a669f7
                                                                            • Instruction ID: 8101070f568e09e00fa6fcb77fa9d4acca9ace633489698b6e55120eaeec062b
                                                                            • Opcode Fuzzy Hash: df977d0511e39b1654c886300f833716db2437b8362aa7719a8a5087a7a669f7
                                                                            • Instruction Fuzzy Hash: 008166636286C1A5EB20EB25D8503AE7B71F79378CF844223D5C847469EF3BC64AC751
                                                                            Function 6639E040 Relevance: 25.6, APIs: 16, Strings: 1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: $K6f
                                                                            • API String ID: 1294909896-1595330636
                                                                            • Opcode ID: 5bdd7c7c209f0afc64b8e7d12924d4841caeb1a20af860f8f8c3594738ca6120
                                                                            • Instruction ID: b690acaae252041677257b54c6f41e59998c13f51f30b8ce8f426e31a3b26a82
                                                                            • Opcode Fuzzy Hash: 5bdd7c7c209f0afc64b8e7d12924d4841caeb1a20af860f8f8c3594738ca6120
                                                                            • Instruction Fuzzy Hash: 8631C832242A8085EB44EF36CCA17AD6760FBD5F89F045232CE9E5772ACF25C559C354
                                                                            Function 66358750 Relevance: 23.9, APIs: 19, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 58a08ba13a70f614900a48c425c924156f086a0975f4d48cfbc3392f3a80acc2
                                                                            • Instruction ID: cac8096f42786281c65726305e271e37f6f81322f108cc4c0d19ac58bbed31bd
                                                                            • Opcode Fuzzy Hash: 58a08ba13a70f614900a48c425c924156f086a0975f4d48cfbc3392f3a80acc2
                                                                            • Instruction Fuzzy Hash: 8A413B63B2199099CB11EE26CD5162D9761FBA4FD8F1A0236CEAD5B71ADF31C911C300
                                                                            Function 663B25B0 Relevance: 23.0, APIs: 8, Strings: 7, Instructions: 474stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 663442CC: malloc.MSVCRT ref: 663442DC
                                                                            • strlen.MSVCRT ref: 663B289B
                                                                            • strcmp.MSVCRT ref: 663B2B7B
                                                                            • strcmp.MSVCRT ref: 663B2B90
                                                                            • strcmp.MSVCRT ref: 663B2BA5
                                                                              • Part of subcall function 66343CDC: free.MSVCRT ref: 66343D26
                                                                              • Part of subcall function 66343CDC: free.MSVCRT ref: 66343D2F
                                                                              • Part of subcall function 66343CDC: free.MSVCRT ref: 66343D37
                                                                              • Part of subcall function 66343CDC: free.MSVCRT ref: 66343D44
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$strcmp$mallocstrlen
                                                                            • String ID: !rax$Content$PackageInfo$Payload$creation-time$toc$xar
                                                                            • API String ID: 1537117760-2488490757
                                                                            • Opcode ID: 0f411c8d8d34ea00fe7d689144ffddc906ceda4bf535fe85c3be05503719bc93
                                                                            • Instruction ID: b8d7764dae2a6ab27b0514e332f853de3703628824a25a7d15847527dbf742fd
                                                                            • Opcode Fuzzy Hash: 0f411c8d8d34ea00fe7d689144ffddc906ceda4bf535fe85c3be05503719bc93
                                                                            • Instruction Fuzzy Hash: 75026C72704B8486CB10DF2AE59466EB7A1F79AF85F105612DE8E43B28DF39C889C744
                                                                            Function 6635E5F4 Relevance: 22.8, APIs: 11, Strings: 4, Instructions: 282stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$memmove$memcmpstrcmp
                                                                            • String ID: Library symbols information error$Long file names parsing error$data.tar.$debian-binary
                                                                            • API String ID: 1306677064-1281787581
                                                                            • Opcode ID: 736cd9bcd0c6c7fada2603969e48c48b3c5fed0255361d93dc4894ae0548b816
                                                                            • Instruction ID: 3621d7212b20231f4a7e88460e4cc18b335c150e8a682441cb3d550373cda9ef
                                                                            • Opcode Fuzzy Hash: 736cd9bcd0c6c7fada2603969e48c48b3c5fed0255361d93dc4894ae0548b816
                                                                            • Instruction Fuzzy Hash: 29B170B6605B8186DB24DF2AD440B2D7BA1F784FE8F420226DEAD47758DF39C469C780
                                                                            Function 663802A4 Relevance: 21.4, APIs: 12, Strings: 2, Instructions: 395COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: H+$rsrc
                                                                            • API String ID: 1294909896-3985706457
                                                                            • Opcode ID: d85465a8fa195f774765f0de21f5987eba88714edaa8fe70e8da8ebe2cfa5b1e
                                                                            • Instruction ID: 9d19335e59b4bd1b8ec0b8305186e62e50a84b2e1f2312c805f18fc906ed0c77
                                                                            • Opcode Fuzzy Hash: d85465a8fa195f774765f0de21f5987eba88714edaa8fe70e8da8ebe2cfa5b1e
                                                                            • Instruction Fuzzy Hash: C7E106726196C087DB20DF29E8507DEBBA1F7C1B88F100519DADD87B68DB79C589CB80
                                                                            Function 663ACE1C Relevance: 21.2, APIs: 11, Strings: 3, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: CID$createType$parentCID
                                                                            • API String ID: 1294909896-1049246121
                                                                            • Opcode ID: 07d9f9945e6bf2b1454e23fc04c3e0d612c14e6760af4c10cf495004c637d1c2
                                                                            • Instruction ID: 7d2eff368e8061cdf8be649b6ed701fed869919c0b12cd7cf04c65477c7abd13
                                                                            • Opcode Fuzzy Hash: 07d9f9945e6bf2b1454e23fc04c3e0d612c14e6760af4c10cf495004c637d1c2
                                                                            • Instruction Fuzzy Hash: 16619933245A8095CA11EF19EC9065EFFB1F7D5B98F805212EACE47678DF29C54AC700
                                                                            Function 00007FFE115A6070 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                            • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                            • API String ID: 2565136772-3242537097
                                                                            • Opcode ID: a0da2d4d2dc63ff1985292e0488492c57998359e94231b7fe52c8d69f34f021b
                                                                            • Instruction ID: 110f4e1000fd09b1538cb17182d5adddf7d742ed180a71e599fa71725cf7ce5c
                                                                            • Opcode Fuzzy Hash: a0da2d4d2dc63ff1985292e0488492c57998359e94231b7fe52c8d69f34f021b
                                                                            • Instruction Fuzzy Hash: 0B213621E59E4381FF589B23F85527427ADBF88764F8400B4C91F027B1EF2CB5498714
                                                                            Function 663887FC Relevance: 18.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp$free
                                                                            • String ID: EXFAT $FAT$NTFS$NTFS $UDF$exFAT$v
                                                                            • API String ID: 2368328632-2389478733
                                                                            • Opcode ID: 1f172779359f290f124092a91fce36196c860a0ce74e177169b11664397c7080
                                                                            • Instruction ID: 47a7a4cb89b622e9a03f8a493cc3ea658b7b4ff052cd6f4aaceb93f7f01eb01f
                                                                            • Opcode Fuzzy Hash: 1f172779359f290f124092a91fce36196c860a0ce74e177169b11664397c7080
                                                                            • Instruction Fuzzy Hash: 32313701A2868476EF30AB21AD543DB5BA2E786798F440129CACC4769ADF3FC24EC751
                                                                            Function 66384128 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$memmove
                                                                            • String ID: -$-$d$h$l
                                                                            • API String ID: 1534225298-1779875107
                                                                            • Opcode ID: 24d7b64dc5b55d4a04fb08b68332fd6f9973c53962b2ebdabf989ec06fc98ac3
                                                                            • Instruction ID: c66fc22ccff603ecd62e166d8255908df13e436ea20725cba0e14a2efb5653cf
                                                                            • Opcode Fuzzy Hash: 24d7b64dc5b55d4a04fb08b68332fd6f9973c53962b2ebdabf989ec06fc98ac3
                                                                            • Instruction Fuzzy Hash: 3251282262868091DB10DF24DC407CEEBA5FBD179CF504219DAD943DAADBBEC959CB40
                                                                            Function 00007FFE11592990 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 88libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                            • API String ID: 2915667086-2207617598
                                                                            • Opcode ID: 78c5b0c1e1f7b188730c7f974ac8e464d23af20910bc04e784c7d410eaff2ae4
                                                                            • Instruction ID: aac6ee81ac8342753dd20bde0ab643f84fb937851bd8fc672b912b9eefd6d12c
                                                                            • Opcode Fuzzy Hash: 78c5b0c1e1f7b188730c7f974ac8e464d23af20910bc04e784c7d410eaff2ae4
                                                                            • Instruction Fuzzy Hash: 4D413B21E1DE4782FB24CB27E8902B4635DAF447B9F8890B1D80E472F5EEBCE5458305
                                                                            Function 00007FFE11592B00 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                            • API String ID: 2915667086-2207617598
                                                                            • Opcode ID: 77d43fbf36a712e60208c11f784546c420b596bde4bb6c0c84a2eb4f4a79ce85
                                                                            • Instruction ID: b680632ebda94bce2f80ab6b5a2d0386d260aaa4af3fdb121c1680c38b2e7004
                                                                            • Opcode Fuzzy Hash: 77d43fbf36a712e60208c11f784546c420b596bde4bb6c0c84a2eb4f4a79ce85
                                                                            • Instruction Fuzzy Hash: FF411520A1CE8A91EB14CB17E88027567ADAF44BB5F8491B1D95E476F5EE2CE4458301
                                                                            Function 00007FFE11595A90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$ErrorEventLastObjectSingleWait
                                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                            • API String ID: 4151107023-2248577382
                                                                            • Opcode ID: f1b7e06f17c5934cd429e5a01a4f554cf459a7225d9077e404f6a05e40f06fbc
                                                                            • Instruction ID: 99a504c51d2ff243108a407a9fafc51bb23b38b8710986b7bdd7b73afd235fe5
                                                                            • Opcode Fuzzy Hash: f1b7e06f17c5934cd429e5a01a4f554cf459a7225d9077e404f6a05e40f06fbc
                                                                            • Instruction Fuzzy Hash: 5021A332E18E8586EB108F35E8042B83725FB98B38F844271CA2E462F5EF2C95958704
                                                                            Function 663903D0 Relevance: 13.9, APIs: 1, Strings: 8, Instructions: 357COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 66342934: memmove.MSVCRT ref: 66342959
                                                                            • free.MSVCRT ref: 663905AD
                                                                              • Part of subcall function 66347F88: _CxxThrowException.MSVCRT ref: 66347FCE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrowfreememmove
                                                                            • String ID: Size=$ VA=0x$ name=$Checksum error$Data Directories: $dll$efi$index=
                                                                            • API String ID: 73398970-310007618
                                                                            • Opcode ID: 3199a10eac25bc1def9b3c1333cd01aac46b8c694889f192d04b0e13f4b9a6ab
                                                                            • Instruction ID: 6061e7e19911590dd73863238b62920ae958b0e016c59d7aa996e5eb558f1f9d
                                                                            • Opcode Fuzzy Hash: 3199a10eac25bc1def9b3c1333cd01aac46b8c694889f192d04b0e13f4b9a6ab
                                                                            • Instruction Fuzzy Hash: 4CE1F623639581A2DA40EB28E84039EB761F79171CF905336E29947568FFB6C95ACFC0
                                                                            Function 663E0120 Relevance: 13.8, APIs: 11, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memmove
                                                                            • String ID:
                                                                            • API String ID: 2162964266-0
                                                                            • Opcode ID: 81c140a3ad0937cac96f3697f9d82af0f764b069e69f11f43e582c4ded6050df
                                                                            • Instruction ID: 75146076cf3ce732f2f2f0f8df95a1fac13798da30b7e484ff9c39fe432f4e71
                                                                            • Opcode Fuzzy Hash: 81c140a3ad0937cac96f3697f9d82af0f764b069e69f11f43e582c4ded6050df
                                                                            • Instruction Fuzzy Hash: 09410467200A95A7DB19CF35C5807DC3BA4FB08B88F44412ADF1C8B758EB34E6A6C755
                                                                            Function 663E42E0 Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 208COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $COMMONFILES$$PROGRAMFILES$$_ERROR_STR_$$_ERROR_UNSUPPORTED_VALUE_REGISTRY_$CommonFilesDir$ProgramFilesDir$_ERROR_UNSUPPORTED_SHELL_
                                                                            • API String ID: 0-3417997914
                                                                            • Opcode ID: a492bb6712fb690f11c694e04f3bdfbc64ddae1a64e4cab278e8526d6caa0915
                                                                            • Instruction ID: 968bf00c0ae9ede70a44261f47f7770a71c9a9d8d08a6c271020b3525c25ad64
                                                                            • Opcode Fuzzy Hash: a492bb6712fb690f11c694e04f3bdfbc64ddae1a64e4cab278e8526d6caa0915
                                                                            • Instruction Fuzzy Hash: 7E8104B67406908ADB05CF26D85075EBBA1F789F49F48D127CE464B309EF39C8A5CB60
                                                                            Function 663C47E8 Relevance: 12.8, APIs: 10, Instructions: 251COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 663C3BD0: _CxxThrowException.MSVCRT ref: 663C3BF5
                                                                            • free.MSVCRT ref: 663C48EC
                                                                            • free.MSVCRT ref: 663C492E
                                                                            • free.MSVCRT ref: 663C4982
                                                                            • _CxxThrowException.MSVCRT ref: 663C49E0
                                                                            • _CxxThrowException.MSVCRT ref: 663C4A03
                                                                            • _CxxThrowException.MSVCRT ref: 663C4A26
                                                                            • free.MSVCRT ref: 663C4A4F
                                                                            • _CxxThrowException.MSVCRT ref: 663C4ABB
                                                                              • Part of subcall function 663C3A28: _CxxThrowException.MSVCRT ref: 663C3A4B
                                                                            • _CxxThrowException.MSVCRT ref: 663C4B0D
                                                                            • _CxxThrowException.MSVCRT ref: 663C4B73
                                                                              • Part of subcall function 663BAD4C: free.MSVCRT ref: 663BADD4
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrow$free
                                                                            • String ID:
                                                                            • API String ID: 3129652135-0
                                                                            • Opcode ID: 35eeaee752827b9c52d074e932738547aa7edee002f9b9d92b003f738fb2a4e4
                                                                            • Instruction ID: 55817af711ffd919e1c13151e70b8b8774a906c6751114d77122b60be505c446
                                                                            • Opcode Fuzzy Hash: 35eeaee752827b9c52d074e932738547aa7edee002f9b9d92b003f738fb2a4e4
                                                                            • Instruction Fuzzy Hash: CE910436604B8486CB20DF26E85035EBB65F794BC8F104516EEDA4771ADF3AC859C342
                                                                            Function 00007FFE1158E8A0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 317COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID: .rar$exe$rar$rar$sfx
                                                                            • API String ID: 3668304517-3472988566
                                                                            • Opcode ID: 1841fd7f44c8f4a7aa04db4e6544a35332919c5d4c43ba00d47486ec885c06fd
                                                                            • Instruction ID: 52e760c505153a87655df52975fe06cc60960dd855e21866242c48e984fdae1d
                                                                            • Opcode Fuzzy Hash: 1841fd7f44c8f4a7aa04db4e6544a35332919c5d4c43ba00d47486ec885c06fd
                                                                            • Instruction Fuzzy Hash: 75D18A22A14E6284EB048F67E4593AC23B9FB04BB8F444675DA2E177F9DF7CE4859340
                                                                            Function 00007FFE11580CA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastProcessSecurityToken_invalid_parameter_noinfo_noreturn$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                            • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                            • API String ID: 1118262616-639343689
                                                                            • Opcode ID: 41b44cab1e262f53f340f1f55432d8aa446d76bf7bf330540b6e1bb81d356e5a
                                                                            • Instruction ID: 5b89a041987cf8bc5a676b0466bc8de2dfce51f6ba3e66d1a67cdac93a4af5b8
                                                                            • Opcode Fuzzy Hash: 41b44cab1e262f53f340f1f55432d8aa446d76bf7bf330540b6e1bb81d356e5a
                                                                            • Instruction Fuzzy Hash: 9A519362A18F8285EB10DF27F44167A67A9BF85BB0F5451B1EA9D026F5DF3CE484C600
                                                                            Function 00007FFE11595800 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CloseErrorHandleLastObjectReleaseSemaphoreSingleWait$CriticalDeleteEventResetSection
                                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                            • API String ID: 3470762150-2248577382
                                                                            • Opcode ID: f970fb21697e32c787d3e939248d7297b1f17586390d6dcb9c1fd9ecbf611057
                                                                            • Instruction ID: fd25a8b7a3cf9c7d7a00e9282fbb1136dda5f9d20d05d4302bc61140215129c7
                                                                            • Opcode Fuzzy Hash: f970fb21697e32c787d3e939248d7297b1f17586390d6dcb9c1fd9ecbf611057
                                                                            • Instruction Fuzzy Hash: 3E215E32A14E8282E7109F22E8452B9772AFB84BA8F944171DA2F476B5CF3CE456C754
                                                                            Function 663DE4A8 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 242COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: [BOOT]\
                                                                            • API String ID: 1294909896-3783783949
                                                                            • Opcode ID: 9193b1a0a16ae0be63f4326880ab27f1a2d8153bd6e577ffb959bf3feffd3abe
                                                                            • Instruction ID: e8ced5b1ab456834cc68f8db5f0e9b72c3675335e078e2883ca09426f06e29f9
                                                                            • Opcode Fuzzy Hash: 9193b1a0a16ae0be63f4326880ab27f1a2d8153bd6e577ffb959bf3feffd3abe
                                                                            • Instruction Fuzzy Hash: E8910633618A8091CB20DB25D89075EFF72F7D1BD8F845216EADD43A68DF25C58ACB40
                                                                            Function 663540A0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 66342894: memmove.MSVCRT ref: 663428CC
                                                                            • free.MSVCRT ref: 663542FD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: freememmove
                                                                            • String ID: crc
                                                                            • API String ID: 2988784210-2086832125
                                                                            • Opcode ID: 561172f9eb436556997b139a8c3c1e643a22d8daa9cd3819230b9a3dcb80c258
                                                                            • Instruction ID: fb82d6ce5f5906f0c85f1d671c99303c4cd1118d049615e1bd04eddaf0655b7b
                                                                            • Opcode Fuzzy Hash: 561172f9eb436556997b139a8c3c1e643a22d8daa9cd3819230b9a3dcb80c258
                                                                            • Instruction Fuzzy Hash: 4E511822364A8097CB10DF25E88095EF7A1F7D5784F911122EBCE87A1ADF39C979CB00
                                                                            Function 663E24C4 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: (Uninstall)$.exe$.nsis$Install$Uninstall
                                                                            • API String ID: 1294909896-1910191680
                                                                            • Opcode ID: fac3cc7c1fdee94e4aaa17ecdf11b4e2b5775f2c7884df015b86ce3702d760d4
                                                                            • Instruction ID: 1df0b696d293a9dcc7c0f05453dc044372833161006b3a5fe19fe326153deceb
                                                                            • Opcode Fuzzy Hash: fac3cc7c1fdee94e4aaa17ecdf11b4e2b5775f2c7884df015b86ce3702d760d4
                                                                            • Instruction Fuzzy Hash: 2251F36232959292EE00EF28DAD039EF761F7D1748F905233D29E43568DFB5C94AC750
                                                                            Function 663B87D4 Relevance: 11.3, APIs: 9, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 99af38793927033381c528bcfd1e26c8a61e23617a232c689eb9939de8e32556
                                                                            • Instruction ID: 31945c8f80a0aa43001015038285c40744177b623a9fe81af5c2c547f2ce903e
                                                                            • Opcode Fuzzy Hash: 99af38793927033381c528bcfd1e26c8a61e23617a232c689eb9939de8e32556
                                                                            • Instruction Fuzzy Hash: EC215E23711A8196DA00EF26ED912ADA760EB91FA8F044331CFAD477AACF35C559C340
                                                                            Function 663566B4 Relevance: 11.0, APIs: 5, Strings: 2, Instructions: 469COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MSVCRT ref: 66356961
                                                                            • free.MSVCRT ref: 66356970
                                                                              • Part of subcall function 6635648C: free.MSVCRT ref: 663565F8
                                                                              • Part of subcall function 6635648C: free.MSVCRT ref: 66356642
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: decmpfs$symlink
                                                                            • API String ID: 1294909896-50712451
                                                                            • Opcode ID: 4d796342f5bf157a5cdd3d7b3686e0f915b296950c078e6e1fe74fc413d126be
                                                                            • Instruction ID: 081ec116be779b5f622f2ec00c84b0962bbb9d68ef1bde21e3f72e9d0d8796f6
                                                                            • Opcode Fuzzy Hash: 4d796342f5bf157a5cdd3d7b3686e0f915b296950c078e6e1fe74fc413d126be
                                                                            • Instruction Fuzzy Hash: 6A021B3262A680C3CB10DB37DD50E9DF362F383785B82611BD69917978DB7AC5A8C741
                                                                            Function 00007FFE115A8D7C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                            • String ID: csm$csm$csm
                                                                            • API String ID: 2940173790-393685449
                                                                            • Opcode ID: 9c9b9f04f1ff9c9688e1aaac155e18699196d8beca1ccf244bb23752c7ada1d8
                                                                            • Instruction ID: d196646daf4fd123f30aab62506753b77b3865bec93b34abc536a3cae3ea708c
                                                                            • Opcode Fuzzy Hash: 9c9b9f04f1ff9c9688e1aaac155e18699196d8beca1ccf244bb23752c7ada1d8
                                                                            • Instruction Fuzzy Hash: 1FE1B176A48B928AE7109F36E4802BD7BB8FB44768F104175DA9D576B6DF3CE481C700
                                                                            Function 663AC400 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 296COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Marker$Missing volume : $zlib
                                                                            • API String ID: 0-3775675956
                                                                            • Opcode ID: 8834e4450b003a0db7d2dd7b6b060741987223b95ac6550b530870ecbf085952
                                                                            • Instruction ID: 50fad84ed5a36bb97eb7cfc7b29e3b610fe4573d5f0d1701830fa0ccc4aaaaf3
                                                                            • Opcode Fuzzy Hash: 8834e4450b003a0db7d2dd7b6b060741987223b95ac6550b530870ecbf085952
                                                                            • Instruction Fuzzy Hash: AFB1E533A0879096DB20DF25E89026EBBB5F387388F444116D7DD43A2CEB36C599DB40
                                                                            Function 663E8668 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 220COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: .rar$Missing volume : $VolCRC$part
                                                                            • API String ID: 1294909896-1886750414
                                                                            • Opcode ID: bd68bc5763e29aab8a5e34e6e4b568f65cb76ecf4c5b46a5fed7cad088b0aba1
                                                                            • Instruction ID: f28addc37de4920c7c9498cb7f4affd0ff20a86850dedb45d13cda0821692b01
                                                                            • Opcode Fuzzy Hash: bd68bc5763e29aab8a5e34e6e4b568f65cb76ecf4c5b46a5fed7cad088b0aba1
                                                                            • Instruction Fuzzy Hash: B881C472F28550A6DB10DF59DC8025EB7B1FBD2B88B504213E6CD4796CDB3AC90ACB52
                                                                            Function 663E0420 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcmp.MSVCRT ref: 663E0458
                                                                              • Part of subcall function 663DFFA8: _CxxThrowException.MSVCRT ref: 663DFFEE
                                                                              • Part of subcall function 663DF5D4: _CxxThrowException.MSVCRT ref: 663DF622
                                                                              • Part of subcall function 663DF5D4: _CxxThrowException.MSVCRT ref: 663DF641
                                                                            • memmove.MSVCRT ref: 663E053B
                                                                              • Part of subcall function 663630F8: _CxxThrowException.MSVCRT ref: 66363128
                                                                              • Part of subcall function 663630F8: memmove.MSVCRT ref: 66363161
                                                                              • Part of subcall function 663630F8: free.MSVCRT ref: 66363169
                                                                              • Part of subcall function 663442CC: malloc.MSVCRT ref: 663442DC
                                                                            • memmove.MSVCRT ref: 663E063F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrow$memmove$freemallocmemcmp
                                                                            • String ID: $ $D$U
                                                                            • API String ID: 3422428127-3171407726
                                                                            • Opcode ID: 43b18e3f2a092913c2c67bb350435026e1e33e9c509846207ccc001f314d8b5d
                                                                            • Instruction ID: e662e2f4ad0fbd7a532ff3d27280169a941ca8448ca3a78be24ec3e38ec3f999
                                                                            • Opcode Fuzzy Hash: 43b18e3f2a092913c2c67bb350435026e1e33e9c509846207ccc001f314d8b5d
                                                                            • Instruction Fuzzy Hash: 1551366390C3E446DB21DF25A94039E7B61F7C5B88F440227DFCA03659CF6AC19ACBA0
                                                                            Function 00007FFE115AA87C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFE115AAA83,?,?,?,00007FFE115A87EE,?,?,?,00007FFE115A87A9), ref: 00007FFE115AA901
                                                                            • GetLastError.KERNEL32(?,?,00000000,00007FFE115AAA83,?,?,?,00007FFE115A87EE,?,?,?,00007FFE115A87A9), ref: 00007FFE115AA90F
                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFE115AAA83,?,?,?,00007FFE115A87EE,?,?,?,00007FFE115A87A9), ref: 00007FFE115AA939
                                                                            • FreeLibrary.KERNEL32(?,?,00000000,00007FFE115AAA83,?,?,?,00007FFE115A87EE,?,?,?,00007FFE115A87A9), ref: 00007FFE115AA97F
                                                                            • GetProcAddress.KERNEL32(?,?,00000000,00007FFE115AAA83,?,?,?,00007FFE115A87EE,?,?,?,00007FFE115A87A9), ref: 00007FFE115AA98B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                            • String ID: api-ms-
                                                                            • API String ID: 2559590344-2084034818
                                                                            • Opcode ID: 5f9cc119832a5620e7c292162b9af8c112bb8162cf73de75ed75e67d41573d83
                                                                            • Instruction ID: cb2f99f59827fd23af0acc58da1fefbff2545bd4e2462818c28d62329caa2bcf
                                                                            • Opcode Fuzzy Hash: 5f9cc119832a5620e7c292162b9af8c112bb8162cf73de75ed75e67d41573d83
                                                                            • Instruction Fuzzy Hash: 5E316C26A5AF4299FF229B03B80067A639DBF49B70F5A0575DD1D4A7B4EF3CE4858300
                                                                            Function 66370200 Relevance: 10.1, APIs: 8, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 21df9bf9795179cde5f95ccbcadc17fbca609640fa6b01de7e55f7da43e9b1d2
                                                                            • Instruction ID: 92acf18169d1ab62253ae89e1b189c48b437d27c01227152877740140b1063e3
                                                                            • Opcode Fuzzy Hash: 21df9bf9795179cde5f95ccbcadc17fbca609640fa6b01de7e55f7da43e9b1d2
                                                                            • Instruction Fuzzy Hash: E03185B3B01A508AD711EF65D95036E6B61F784FD8F290125CEA90B759DF3AC44AC384
                                                                            Function 663E6190 Relevance: 10.1, APIs: 8, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 44e08db37267ba00978edef3bc103adb7362d2a87f4d27e732bf4f55086fb284
                                                                            • Instruction ID: d14dbbb50d640c6df59aba1a79a96056f0b3cd65b7c6ff36e21db8a1be0151b3
                                                                            • Opcode Fuzzy Hash: 44e08db37267ba00978edef3bc103adb7362d2a87f4d27e732bf4f55086fb284
                                                                            • Instruction Fuzzy Hash: E83161737059D0C9C711AF6ADC4519C6766F369F99F290235CBE91B7AACB31C8A2C320
                                                                            Function 663F8500 Relevance: 10.1, APIs: 8, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MSVCRT ref: 663F852E
                                                                            • free.MSVCRT ref: 663F853A
                                                                            • free.MSVCRT ref: 663F8546
                                                                            • free.MSVCRT ref: 663F8552
                                                                            • free.MSVCRT ref: 663F855E
                                                                            • free.MSVCRT ref: 663F856A
                                                                            • free.MSVCRT ref: 663F8576
                                                                              • Part of subcall function 663F68A8: free.MSVCRT ref: 663F68B8
                                                                              • Part of subcall function 663F68A8: free.MSVCRT ref: 663F68C4
                                                                              • Part of subcall function 663F68A8: free.MSVCRT ref: 663F68D0
                                                                              • Part of subcall function 663F68A8: free.MSVCRT ref: 663F68DC
                                                                              • Part of subcall function 663F68A8: free.MSVCRT ref: 663F68E5
                                                                              • Part of subcall function 663F68A8: free.MSVCRT ref: 663F68EE
                                                                              • Part of subcall function 663F68A8: free.MSVCRT ref: 663F68F7
                                                                            • free.MSVCRT ref: 663F85D7
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 6d269c236c51a88136b7a7bbd786112fc7dfe57020831d71eeb77a7fdb994468
                                                                            • Instruction ID: 8033d22032b2e5288e167ef7d9a148f2631eb25fda664322a49fc41a80ad2c43
                                                                            • Opcode Fuzzy Hash: 6d269c236c51a88136b7a7bbd786112fc7dfe57020831d71eeb77a7fdb994468
                                                                            • Instruction Fuzzy Hash: 9321F562711A80A6CA48EE26DD9426CA760FB96FA4F044331CFAE47765CF30D97AC300
                                                                            Function 663CA3CC Relevance: 10.0, APIs: 8, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 80ff2a2d8c412de59474e6944e5d3eaa27bda024d53c67dfb2bb0520720467b1
                                                                            • Instruction ID: 24fd112b99cc18a9a59320d4fee6f50ac217f9c0151342f0b96506fdc69eb992
                                                                            • Opcode Fuzzy Hash: 80ff2a2d8c412de59474e6944e5d3eaa27bda024d53c67dfb2bb0520720467b1
                                                                            • Instruction Fuzzy Hash: 04014462201A8081DF54EF35DC9576CA760EBD0F98F044732DEAE4B66ACF25C9A9C351
                                                                            Function 663560BC Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ----$.apfs$Volume$block_size
                                                                            • API String ID: 0-354511790
                                                                            • Opcode ID: 45055fbf821045df9aeccc2c1f319278dfcdb364eb21cc81b346c2baaac15007
                                                                            • Instruction ID: 0f6f3d343e982d873b684347421f1675a17b1888d7d445a32564b50090eda9c9
                                                                            • Opcode Fuzzy Hash: 45055fbf821045df9aeccc2c1f319278dfcdb364eb21cc81b346c2baaac15007
                                                                            • Instruction Fuzzy Hash: 7E61063262858492DB50DB1AEE8075EBBB1F7D2788F415112E6CE0397CDF7AC55AC780
                                                                            Function 00007FFE11587D10 Relevance: 9.2, APIs: 6, Instructions: 170filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3536497005-0
                                                                            • Opcode ID: ae39f0f1f9ba7466dc99ed84c4322b49b2ef2fa029b9db5ba00d6dfce66fe041
                                                                            • Instruction ID: ea6ed3e68eb14700ae31a9545187d42013261007e03f3c96a137d7716c33b537
                                                                            • Opcode Fuzzy Hash: ae39f0f1f9ba7466dc99ed84c4322b49b2ef2fa029b9db5ba00d6dfce66fe041
                                                                            • Instruction Fuzzy Hash: 9C61C162A18F8185EB248B2AF44472A67A5FB857B4F201374DEB903AF4DF3DD494C704
                                                                            Function 00007FFE11595450 Relevance: 9.2, APIs: 6, Instructions: 150libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryLibraryLoadSystem
                                                                            • String ID:
                                                                            • API String ID: 1175261203-0
                                                                            • Opcode ID: 5e03e2a18399c2173d16b4f04aeee3953af2f92891713b6a006a915eacf9811d
                                                                            • Instruction ID: 731ab9204f4295dbdf9370e7642a5efd4816d721bf4608eaf53b93767587263b
                                                                            • Opcode Fuzzy Hash: 5e03e2a18399c2173d16b4f04aeee3953af2f92891713b6a006a915eacf9811d
                                                                            • Instruction Fuzzy Hash: 1B51C062F28B8294FF009B66E4443AD236AAB84BE8F404272DA5D17AF9DE3CD445C300
                                                                            Function 66382184 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$ExceptionThrow
                                                                            • String ID: Hf$group:$img
                                                                            • API String ID: 4001284683-2195507071
                                                                            • Opcode ID: 4a22877f8d4ecc9f8982a42d42a779bdd5284ae95459ddd9b2e58035f091a991
                                                                            • Instruction ID: 0faa3484787c3b39f2c79b28f0bdf2cf836094615141940bcbe2db61abc957a5
                                                                            • Opcode Fuzzy Hash: 4a22877f8d4ecc9f8982a42d42a779bdd5284ae95459ddd9b2e58035f091a991
                                                                            • Instruction Fuzzy Hash: 0951836332490091DB60EF29DD5079EBBB0E7D27D8F940216D69D43978DF79CA8ACB80
                                                                            Function 00007FFE11595FA0 Relevance: 9.1, APIs: 6, Instructions: 85timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                                            • String ID:
                                                                            • API String ID: 2092733347-0
                                                                            • Opcode ID: 030affd7d2b88d3578f8c8bed176722868f0cd967c05d64f3ad146b704ce1efb
                                                                            • Instruction ID: 6cad3b13836069aebc1e1665a955ee28ff6a5bd2a81225ee1c1c591f80bf4917
                                                                            • Opcode Fuzzy Hash: 030affd7d2b88d3578f8c8bed176722868f0cd967c05d64f3ad146b704ce1efb
                                                                            • Instruction Fuzzy Hash: 11315E62F10A518EFB10CFB5E8801AC7775FB18798B545036EE0E97A68EA3CD895C314
                                                                            Function 663B4E20 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: \P;f$pO;f$tP;f
                                                                            • API String ID: 1294909896-515361868
                                                                            • Opcode ID: 2e768e858aa6faa3258402c6a1de14a4ef924ca1ce22710629d6b67b7f4d04e1
                                                                            • Instruction ID: efd5a874401db37c84564cc161e63f11de728202997b8237dfb933f98e435128
                                                                            • Opcode Fuzzy Hash: 2e768e858aa6faa3258402c6a1de14a4ef924ca1ce22710629d6b67b7f4d04e1
                                                                            • Instruction Fuzzy Hash: 44218832642B4499DB01DF28D85039A3366FB95FA8F244332CEAD077A9EF36C55AC340
                                                                            Function 00007FFE115A9278 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: abort$CallEncodePointerTranslator
                                                                            • String ID: MOC$RCC
                                                                            • API String ID: 2889003569-2084237596
                                                                            • Opcode ID: fe4baf2c4d3b5907899f79412f273091b68c43c1c39f1296298bac24e8c1bf78
                                                                            • Instruction ID: 9e740226a717a8967f8bbbedb08a852bc7c6b155357aed31f429301c136aea20
                                                                            • Opcode Fuzzy Hash: fe4baf2c4d3b5907899f79412f273091b68c43c1c39f1296298bac24e8c1bf78
                                                                            • Instruction Fuzzy Hash: 86919E77A08B918AE710CB66E8802AD7BB4FB44798F104166EB8D17775EF3CD191C700
                                                                            Function 00007FFE115A8460 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                            • String ID: csm$f
                                                                            • API String ID: 2395640692-629598281
                                                                            • Opcode ID: 66702ce518d7f55ac7fb05c9d8b0548088f026915101cac080f97bfc6205245f
                                                                            • Instruction ID: ac199b9665cea65433b2e8e5a930449b85ffe3afd432e16c11084fb72465a551
                                                                            • Opcode Fuzzy Hash: 66702ce518d7f55ac7fb05c9d8b0548088f026915101cac080f97bfc6205245f
                                                                            • Instruction Fuzzy Hash: E151F132E19A0296EB54CF16F444A2937A9FB54BA9F1481B0DE4A037B8EF3CEC41C704
                                                                            Function 00007FFE11595BA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorEventLastObjectReleaseResetSemaphoreSingleWait
                                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                            • API String ID: 2496126464-2248577382
                                                                            • Opcode ID: b29f012e977e4e8071bc7d614353aa8f3ec1c89d5b9429c5932122a8cac9adc7
                                                                            • Instruction ID: 423e66129b3e7ee01fac3a1d51d302ab1d2813821f1d190ff4a8bd8613ad6655
                                                                            • Opcode Fuzzy Hash: b29f012e977e4e8071bc7d614353aa8f3ec1c89d5b9429c5932122a8cac9adc7
                                                                            • Instruction Fuzzy Hash: EC016235E15E4182EB209B22E8442B52369FF98B78F941371C92E4A2F59F2C9496C705
                                                                            Function 00007FFE115AB3E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                            • API String ID: 4061214504-1276376045
                                                                            • Opcode ID: b8ea88ef9185d33527088a59d5eeeabd506ca86e1384455bad11c64c0bacc1b9
                                                                            • Instruction ID: 55f8edf029623af02199b6c8344a06ba550319f815b232c0dddacab30a018304
                                                                            • Opcode Fuzzy Hash: b8ea88ef9185d33527088a59d5eeeabd506ca86e1384455bad11c64c0bacc1b9
                                                                            • Instruction Fuzzy Hash: 96F04922A29E4681EF548F12F484379276AFF88BA0F881479EA0F46674DE3CD488C704
                                                                            Function 00007FFE11588D00 Relevance: 7.8, APIs: 5, Instructions: 296COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$DirectoryRemove
                                                                            • String ID:
                                                                            • API String ID: 5593133-0
                                                                            • Opcode ID: 0cf72162d19b9e1ab7694f25d7fda0d5f59c5d55894452e8ca30b033a52dedce
                                                                            • Instruction ID: a957473797255a40f87f1dd57e2582fc679881ba235a3fab54dc9e13bf637890
                                                                            • Opcode Fuzzy Hash: 0cf72162d19b9e1ab7694f25d7fda0d5f59c5d55894452e8ca30b033a52dedce
                                                                            • Instruction Fuzzy Hash: 1EC17F22B18E8185EF108B27F4442AD63AAFB847A8F500275EA9D07AF9DF3CD595C704
                                                                            Function 00007FFE11581880 Relevance: 7.8, APIs: 5, Instructions: 262timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFileHandleTime
                                                                            • String ID:
                                                                            • API String ID: 2100898393-0
                                                                            • Opcode ID: 46783ce36b6a4fdec198115c2e54ed7c92ac70083cf90ca2cc7434a5008221f8
                                                                            • Instruction ID: 91cbc968a9f534e312d2c80be67e3bab08cabd917db7a034fb952b0dd900f28b
                                                                            • Opcode Fuzzy Hash: 46783ce36b6a4fdec198115c2e54ed7c92ac70083cf90ca2cc7434a5008221f8
                                                                            • Instruction Fuzzy Hash: ACB19E62A18F8285EB109B67F4853BD6366FB857A4F405271EA9D07AF9DF7CE580C300
                                                                            Function 663D6640 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 227COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memmove.MSVCRT ref: 663D66CF
                                                                            • free.MSVCRT ref: 663D66D8
                                                                            • _CxxThrowException.MSVCRT ref: 663D6732
                                                                              • Part of subcall function 6634231C: _CxxThrowException.MSVCRT ref: 66342350
                                                                              • Part of subcall function 6634231C: free.MSVCRT ref: 66342365
                                                                              • Part of subcall function 6634231C: memmove.MSVCRT ref: 6634237D
                                                                            • _CxxThrowException.MSVCRT ref: 663D678F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrow$freememmove
                                                                            • String ID: [ERROR-LONG-PATH]
                                                                            • API String ID: 388480476-1539969551
                                                                            • Opcode ID: b47c596c45b95fcfe1ff1e45e22656a5b6c73b75f43c15a843daafe52724b58f
                                                                            • Instruction ID: 5289f5443f2fd125190fb59deb6dcd77295500b83b0dd28f8a1d1facec43392f
                                                                            • Opcode Fuzzy Hash: b47c596c45b95fcfe1ff1e45e22656a5b6c73b75f43c15a843daafe52724b58f
                                                                            • Instruction Fuzzy Hash: D3715773714A4887CB10CF26D990A9D3BA2F78BB88F544A25DF7983758DB3AD489C740
                                                                            Function 00007FFE115B0C80 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo
                                                                            • String ID:
                                                                            • API String ID: 3215553584-0
                                                                            • Opcode ID: 696e2e3a6a126cdbffc5887cf633f152d1b2864227f6c96da8e26e91193ad69a
                                                                            • Instruction ID: 6f95f52ccace24c30ca88820272c6a55c71172b167876a1c44a3942e437b9361
                                                                            • Opcode Fuzzy Hash: 696e2e3a6a126cdbffc5887cf633f152d1b2864227f6c96da8e26e91193ad69a
                                                                            • Instruction Fuzzy Hash: BC81AE22F18E1289F7609B66D4806BD67BABB44BB8F4042B5DD0E536B1CF3CE446C718
                                                                            Function 6635C770 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 195COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: PM
                                                                            • API String ID: 0-4077875846
                                                                            • Opcode ID: 7d64a51bb26b83b3decc403a83c24fa643ba166aa777fd9ae2ffac2d84efeda8
                                                                            • Instruction ID: 5efad12949075465505f0c928d560d85aa938b48ef1c177293cb9436cbc952c9
                                                                            • Opcode Fuzzy Hash: 7d64a51bb26b83b3decc403a83c24fa643ba166aa777fd9ae2ffac2d84efeda8
                                                                            • Instruction Fuzzy Hash: 8B7108736186C0CBE724CB25E044B9A7BB4F389B8CF115119DB9E87B44DB79C1A9CB81
                                                                            Function 6637A178 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$ExceptionThrow
                                                                            • String ID: Hah!$img
                                                                            • API String ID: 4001284683-3243172660
                                                                            • Opcode ID: a70beea025bb1952af1a2796ad3bea51e880534d766d0cd102d2141e2f13433e
                                                                            • Instruction ID: 32a7c432ba14cf4418645d50dd8a337408d9a1c9aaa25022da8f4b41937d5f67
                                                                            • Opcode Fuzzy Hash: a70beea025bb1952af1a2796ad3bea51e880534d766d0cd102d2141e2f13433e
                                                                            • Instruction Fuzzy Hash: E651E36272494092DB20DF19DC9025EBBB1FBD5B88F905112E6DE43668DF3EC949CB44
                                                                            Function 00007FFE11589B30 Relevance: 7.7, APIs: 5, Instructions: 158filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 2398171386-0
                                                                            • Opcode ID: dffeffb64906adcc7111628bd6b2ae03483cfedcabf1db9a271af5320f0c5451
                                                                            • Instruction ID: 8a0439379114546828473f86e1d07d72e22565c27cbfad03d46e99173bc622f1
                                                                            • Opcode Fuzzy Hash: dffeffb64906adcc7111628bd6b2ae03483cfedcabf1db9a271af5320f0c5451
                                                                            • Instruction Fuzzy Hash: 3561AD22A0CB8241EB648B27F4403AAB7B5EBC57B4F504271EA9D46AF4EF3DD484C740
                                                                            Function 6637429C Relevance: 7.7, APIs: 5, Instructions: 155timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MSVCRT ref: 66374342
                                                                            • LocalFileTimeToFileTime.KERNEL32 ref: 66374372
                                                                              • Part of subcall function 66347F2C: SysAllocStringLen.OLEAUT32 ref: 66347F4F
                                                                              • Part of subcall function 66347F2C: _CxxThrowException.MSVCRT ref: 66347F76
                                                                            • LocalFileTimeToFileTime.KERNEL32 ref: 663743D3
                                                                            • LocalFileTimeToFileTime.KERNEL32 ref: 66374432
                                                                            • free.MSVCRT ref: 66374531
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: FileTime$Local$free$AllocExceptionStringThrow
                                                                            • String ID:
                                                                            • API String ID: 3139368226-0
                                                                            • Opcode ID: 1a43d1aa2d4426a103770d295ade886803e1aa16651432ea62f15a4f6b02576a
                                                                            • Instruction ID: dc9a92c184ccbade9cbebbe027ee66d28e52ff52d7d6fa3789c30009902dc862
                                                                            • Opcode Fuzzy Hash: 1a43d1aa2d4426a103770d295ade886803e1aa16651432ea62f15a4f6b02576a
                                                                            • Instruction Fuzzy Hash: 3651C5636281C092DB30DB64F85039EEBA1FB95368F801219D6D90799AEBBDC50CCB44
                                                                            Function 00007FFE115B05F4 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                            • String ID:
                                                                            • API String ID: 3659116390-0
                                                                            • Opcode ID: 551f830c44dcb28205a851324713078072c0d014183af9164ec0aa26a8b3e883
                                                                            • Instruction ID: 2c63922eb0eec10e6727d9a349098350c439adbd78cfcec18a3d5a1e9b6e8fec
                                                                            • Opcode Fuzzy Hash: 551f830c44dcb28205a851324713078072c0d014183af9164ec0aa26a8b3e883
                                                                            • Instruction Fuzzy Hash: 1D51BC72A28A5189E710CF66E4443AC7BB9FB44BA8F048275CE4A57AB9DF3CD152C704
                                                                            Function 00007FFE115A53F0 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                            • String ID:
                                                                            • API String ID: 262959230-0
                                                                            • Opcode ID: 8782e2b011d5e3c8acb04b57bf3638554fc671b984ab2602705de6ea80a0bc9d
                                                                            • Instruction ID: d43d32fcc33ae29d4d4223da08d15cbe46def0820680e7fe393f758955e13646
                                                                            • Opcode Fuzzy Hash: 8782e2b011d5e3c8acb04b57bf3638554fc671b984ab2602705de6ea80a0bc9d
                                                                            • Instruction Fuzzy Hash: 3141A021A59F4689EB149F23B4407B92699FF48BB8F544674EA6E877F5DF3CE0418300
                                                                            Function 00007FFE115A39F0 Relevance: 7.6, APIs: 5, Instructions: 131COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
                                                                            • String ID:
                                                                            • API String ID: 3936042273-0
                                                                            • Opcode ID: a5cde4a59ecad89c6bda2602082a04d638feb9cde39964c1533984ac8569920b
                                                                            • Instruction ID: 0cba3a2ec77163ba05e8e963380b2641ea4652db5f210b68de2145ab11642a39
                                                                            • Opcode Fuzzy Hash: a5cde4a59ecad89c6bda2602082a04d638feb9cde39964c1533984ac8569920b
                                                                            • Instruction Fuzzy Hash: 1221EF91F99B8342FE48536BA49A37C11C65F06BF4EA04B71D63E0A7F2DD9CA4C14300
                                                                            Function 00007FFE115AD228 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc
                                                                            • String ID:
                                                                            • API String ID: 190572456-0
                                                                            • Opcode ID: da097c8160ee185e16611bb12554a6c946729c3dec57511a8e7f0addd02f5137
                                                                            • Instruction ID: 0d70c359ae554ab7aea4b41cc68ce17651dfc9ceb59b453b3c8d4890b033cd94
                                                                            • Opcode Fuzzy Hash: da097c8160ee185e16611bb12554a6c946729c3dec57511a8e7f0addd02f5137
                                                                            • Instruction Fuzzy Hash: 8B41B161B09E4282FF25AB03B80467A679DBF18BF0F4A4576DD1E4B7B4EE3CE4418200
                                                                            Function 663E27EC Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MSVCRT ref: 663E2882
                                                                            • free.MSVCRT ref: 663E28F1
                                                                              • Part of subcall function 66342A24: free.MSVCRT ref: 66342A50
                                                                              • Part of subcall function 66342A24: memmove.MSVCRT ref: 66342A6B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$memmove
                                                                            • String ID: $INSTDIR\$.nsis$file
                                                                            • API String ID: 1534225298-1252558551
                                                                            • Opcode ID: b48143302a5ede22ed4658b6ac998cc83b696586dd0fb85f84fedf459635f8c5
                                                                            • Instruction ID: 41a3a0e1b326a3671d7200fa2d3f3788002bb25ed2fe355153644bbb83d1b8dc
                                                                            • Opcode Fuzzy Hash: b48143302a5ede22ed4658b6ac998cc83b696586dd0fb85f84fedf459635f8c5
                                                                            • Instruction Fuzzy Hash: DC413462B4071689EB24DF26DE5039DBBA0E789BD8F446232DE9E57758CF39C489C310
                                                                            Function 663546B4 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memmove
                                                                            • String ID: APSB
                                                                            • API String ID: 2162964266-1729421535
                                                                            • Opcode ID: a3f2c4b4e207a75f0309814512ef9705512515017181663e740d72c04f2c9aa8
                                                                            • Instruction ID: 4534668828e4d458319ebef37f366d42dbc897087228b73888e45f4ad2e8fc2d
                                                                            • Opcode Fuzzy Hash: a3f2c4b4e207a75f0309814512ef9705512515017181663e740d72c04f2c9aa8
                                                                            • Instruction Fuzzy Hash: DA41A176601B8497DBA88B2AE980799B7A4F309B94F104526CF9D87720EF39E4B5C740
                                                                            Function 00007FFE11589E80 Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile$CloseControlDeviceHandle_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3376050231-0
                                                                            • Opcode ID: 88b3849cb18ccba80b00475e336cced583b561ee1bdfcfbfaac2ead2967c8c47
                                                                            • Instruction ID: b333122254d310b7aa70dc2bae0cb30c0f1e721f771066677519ccd5b12d1baa
                                                                            • Opcode Fuzzy Hash: 88b3849cb18ccba80b00475e336cced583b561ee1bdfcfbfaac2ead2967c8c47
                                                                            • Instruction Fuzzy Hash: 8D417022A18B8185EB108F16F44466AB7A5FBC57B4F601274EBAD07AF8DF3DD180C744
                                                                            Function 663A2204 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp$memset
                                                                            • String ID: P
                                                                            • API String ID: 1491426995-3110715001
                                                                            • Opcode ID: e96558d98f55990c3d94ea73ce139a22fcb5268757c1f115c8862ff3619718bd
                                                                            • Instruction ID: d9645ff35561266619d0c6639df769760fb6806d64ed1ff4d4517225d2279a25
                                                                            • Opcode Fuzzy Hash: e96558d98f55990c3d94ea73ce139a22fcb5268757c1f115c8862ff3619718bd
                                                                            • Instruction Fuzzy Hash: CE21D3B6A212049FD384CF2AD640A983BF1F708B98B048126DF04C7B04E735E9B5DBA1
                                                                            Function 663C02A0 Relevance: 7.6, APIs: 6, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp
                                                                            • String ID:
                                                                            • API String ID: 1475443563-0
                                                                            • Opcode ID: c1092bf35685397c7b40ad181c95c971100654bb1479e9d953baace2ad132651
                                                                            • Instruction ID: b82fb8efb027ae60c5d16ebd09ae1babdea077881a62e9820f131522b7bcd9cb
                                                                            • Opcode Fuzzy Hash: c1092bf35685397c7b40ad181c95c971100654bb1479e9d953baace2ad132651
                                                                            • Instruction Fuzzy Hash: D011D6E13647819BEB08DF2ADD417992769AB06FC8FC84424DE0887305FF6BCA55C396
                                                                            Function 664023E0 Relevance: 7.6, APIs: 6, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memmove$malloc
                                                                            • String ID:
                                                                            • API String ID: 3263852767-0
                                                                            • Opcode ID: d9e161ec28015e4be09f548167ec7da116226f5449f623488316e955a0916c47
                                                                            • Instruction ID: 73acad9566ce2c8cf6e68e7486c328d32679f8ec4ebfffc1306d4336d618dde3
                                                                            • Opcode Fuzzy Hash: d9e161ec28015e4be09f548167ec7da116226f5449f623488316e955a0916c47
                                                                            • Instruction Fuzzy Hash: 3E2108B37016C5ABCB64CF39DA806C87BA0F719788F449426DB5C87B04EB74D6A1CB40
                                                                            Function 00007FFE11587B40 Relevance: 7.6, APIs: 5, Instructions: 63fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLast$HandleReadType
                                                                            • String ID:
                                                                            • API String ID: 3928740045-0
                                                                            • Opcode ID: e09c89fae7f3914726958d92d7b04374e7600799a76a0a124e5c43a1b6989b26
                                                                            • Instruction ID: 6fb04323797d1c44dbe1ad817f14df5fa638ffcae6a2663cce5e3328938ec75d
                                                                            • Opcode Fuzzy Hash: e09c89fae7f3914726958d92d7b04374e7600799a76a0a124e5c43a1b6989b26
                                                                            • Instruction Fuzzy Hash: 8821AE21A08D4281EB209B27F400339A769FB81BB5F1446B1DB6E476F4DF3CE8E08755
                                                                            Function 00007FFE115B1F2C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _set_statfp
                                                                            • String ID:
                                                                            • API String ID: 1156100317-0
                                                                            • Opcode ID: 91730570d0388275b611bf63403ad44081c8b2f65fc393fad179d5a682f0df8d
                                                                            • Instruction ID: 6f4bf7f71f0472ac6271b1fc233e4d48b188bbc82dd79176926408c708b856a1
                                                                            • Opcode Fuzzy Hash: 91730570d0388275b611bf63403ad44081c8b2f65fc393fad179d5a682f0df8d
                                                                            • Instruction Fuzzy Hash: 1E118262E1CE0205FBA4512AF6C53B6214B7F653F0E1447B4EA7E066F69F2CA440D228
                                                                            Function 663C03B4 Relevance: 7.5, APIs: 6, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 663BF978: memset.MSVCRT ref: 663BF9DC
                                                                              • Part of subcall function 663B7FC4: free.MSVCRT ref: 663B8030
                                                                              • Part of subcall function 663B7FC4: free.MSVCRT ref: 663B8038
                                                                              • Part of subcall function 663B7FC4: free.MSVCRT ref: 663B8045
                                                                              • Part of subcall function 663B7FC4: free.MSVCRT ref: 663B8072
                                                                              • Part of subcall function 663B7FC4: free.MSVCRT ref: 663B807A
                                                                              • Part of subcall function 663B7FC4: free.MSVCRT ref: 663B8087
                                                                            • free.MSVCRT ref: 663C041A
                                                                            • free.MSVCRT ref: 663C0427
                                                                            • free.MSVCRT ref: 663C0434
                                                                            • free.MSVCRT ref: 663C0441
                                                                            • free.MSVCRT ref: 663C044D
                                                                            • free.MSVCRT ref: 663C0459
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFAA8
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFAB4
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFAC0
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFACC
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFAD8
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFAE4
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFAF0
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFAFC
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFB08
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFB14
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFB20
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFB2C
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFB38
                                                                              • Part of subcall function 663BFA98: free.MSVCRT ref: 663BFB44
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free$memset
                                                                            • String ID:
                                                                            • API String ID: 2717317152-0
                                                                            • Opcode ID: 754bf2093be868f00370fa93bc13cadd766217f701d3a166ad5084b58f59c263
                                                                            • Instruction ID: 00d402e2b3140274ffb93ae69cf03964875d0b6dbed1cf07f1dea38c03acc313
                                                                            • Opcode Fuzzy Hash: 754bf2093be868f00370fa93bc13cadd766217f701d3a166ad5084b58f59c263
                                                                            • Instruction Fuzzy Hash: 43110732342A40A6DA09EB24D99439DB7A4FBA5B54F500322CAAD437A1DF32D679C340
                                                                            Function 66382680 Relevance: 7.5, APIs: 6, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: e05ae5816c23d98e0720175b59d1cb4fad4b1b6ffc10cfc3b270025579f051f3
                                                                            • Instruction ID: 851fb3d07cb66a18b3a6c16de16f8efa07db9885a0f028f02a601f548de19be7
                                                                            • Opcode Fuzzy Hash: e05ae5816c23d98e0720175b59d1cb4fad4b1b6ffc10cfc3b270025579f051f3
                                                                            • Instruction Fuzzy Hash: 81F0B762241A4085DE14EF36DC5222CA764EBD5FA8F5443318EEE4B6BACF25C9A6C340
                                                                            Function 663F6040 Relevance: 7.5, APIs: 6, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 6563bfc89170e2d9aaefc53dbe5ca99ee45684105216044015edef4c0f22d27a
                                                                            • Instruction ID: 91ee220bd9d10f509b255dd36f41c77507af3e37a95eef3bc3d46b0a4a56eead
                                                                            • Opcode Fuzzy Hash: 6563bfc89170e2d9aaefc53dbe5ca99ee45684105216044015edef4c0f22d27a
                                                                            • Instruction Fuzzy Hash: D6E0D56161148481DA01EF66DC9236C5790E7A4F88F081231CECD8B21BCE10C561C710
                                                                            Function 00007FFE115A97EC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: __except_validate_context_recordabort
                                                                            • String ID: csm$csm
                                                                            • API String ID: 746414643-3733052814
                                                                            • Opcode ID: db3cfc6d86153359baf1014895ad962cfee67e82f0d85403e98333e2f3dabcc3
                                                                            • Instruction ID: ea1a587fd329a4a870820077b8ba478937cff992be8cbd19a107d6ef9ec52c20
                                                                            • Opcode Fuzzy Hash: db3cfc6d86153359baf1014895ad962cfee67e82f0d85403e98333e2f3dabcc3
                                                                            • Instruction Fuzzy Hash: 5C71D376A08AE28ADB608F26E45077D7BA4FB04BA5F148176DE4C47AB5DF3CD450C700
                                                                            Function 00007FFE115A9C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                            • String ID: csm
                                                                            • API String ID: 2466640111-1018135373
                                                                            • Opcode ID: 8e490ef12a44c021d1643fc55ba5bb9ae3ec9bb36ebe4828b9d836a9272504ca
                                                                            • Instruction ID: 9782ebb6b8ed4dd4555a10c22af025e9d55d2d2f58a668e72d1954b1a305d05a
                                                                            • Opcode Fuzzy Hash: 8e490ef12a44c021d1643fc55ba5bb9ae3ec9bb36ebe4828b9d836a9272504ca
                                                                            • Instruction Fuzzy Hash: 6F513B36A59A518BD720AB16F44026E7BB8FB88BA1F100575DB8D07B76DF3CD461CB00
                                                                            Function 00007FFE115B0A20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                            • String ID: U
                                                                            • API String ID: 2456169464-4171548499
                                                                            • Opcode ID: 3eeab76ec3c782a7d83cc3d92d90f754b143ebad591f5f5d441319891815de3d
                                                                            • Instruction ID: f008aa1167f23385e6d8d4ae769100b25aea3d1ece4050c492d1bf6bda174f9e
                                                                            • Opcode Fuzzy Hash: 3eeab76ec3c782a7d83cc3d92d90f754b143ebad591f5f5d441319891815de3d
                                                                            • Instruction Fuzzy Hash: A941B222B28A4182DB608F66E4447AAB7A5FB887A4F814131EE4E877B8DF7CD441C744
                                                                            Function 00007FFE11595730 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InitializeCriticalSection.KERNEL32(?,?,00000007,00007FFE1159D2C5), ref: 00007FFE1159576C
                                                                            • CreateSemaphoreW.KERNEL32(?,?,00000007,00007FFE1159D2C5), ref: 00007FFE1159577D
                                                                            • CreateEventW.KERNEL32(?,?,00000007,00007FFE1159D2C5), ref: 00007FFE11595797
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                            • String ID: Thread pool initialization failed.
                                                                            • API String ID: 3340455307-2182114853
                                                                            • Opcode ID: b52f8bda723476e301ecee44f151894969fa1dc0dc4dc6f73dea7ebc106a8918
                                                                            • Instruction ID: 0849e076c4ede69b44b20f2730ef51c09ee89c06f587060a4a54c31ba17b0088
                                                                            • Opcode Fuzzy Hash: b52f8bda723476e301ecee44f151894969fa1dc0dc4dc6f73dea7ebc106a8918
                                                                            • Instruction Fuzzy Hash: A9119031E05F4681E7108F26F5043A927AAFF94B58F588076CA0A476B4DF3E95528744
                                                                            Function 663DA5E8 Relevance: 6.3, APIs: 5, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MSVCRT ref: 663DA629
                                                                            • free.MSVCRT ref: 663DA632
                                                                            • free.MSVCRT ref: 663DA63B
                                                                            • free.MSVCRT ref: 663DA666
                                                                            • free.MSVCRT ref: 663DA66E
                                                                              • Part of subcall function 663DA4E8: free.MSVCRT ref: 663DA520
                                                                              • Part of subcall function 663DA4E8: free.MSVCRT ref: 663DA528
                                                                              • Part of subcall function 663DA4E8: free.MSVCRT ref: 663DA535
                                                                              • Part of subcall function 663DA4E8: free.MSVCRT ref: 663DA53E
                                                                              • Part of subcall function 663DA4E8: free.MSVCRT ref: 663DA54C
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 9487260fd58b24807a4a235b073f5302eb3937bb247cb57f4b2324a6247f3146
                                                                            • Instruction ID: cf576629ebd623ab42ff320650901f123e154ace65758f684d1f74d25c76ef37
                                                                            • Opcode Fuzzy Hash: 9487260fd58b24807a4a235b073f5302eb3937bb247cb57f4b2324a6247f3146
                                                                            • Instruction Fuzzy Hash: CA014063F1298086CB11EE3ADE5122D5722EB94FE9B294335CEAD0B799DF25C951C310
                                                                            Function 663DA4E8 Relevance: 6.3, APIs: 5, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 61ed2003fb33369a0d255fe74271b2741ba91e1b7a5e05b589b973eddad462e9
                                                                            • Instruction ID: 30edc31c1b46abba19305dc10c1d95f730a8b64dbf8ea42bc42393ba76c3d7e1
                                                                            • Opcode Fuzzy Hash: 61ed2003fb33369a0d255fe74271b2741ba91e1b7a5e05b589b973eddad462e9
                                                                            • Instruction Fuzzy Hash: 74F0F653B1198049CB15EE27ED0162C5621EBD5FE8F191231CEAD0B39ADF25C892C300
                                                                            Function 6636A61C Relevance: 6.3, APIs: 5, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 6a27fea1a926512d02433ca9b7be287444b10faaab3b5a6219b0cfc7403d31dc
                                                                            • Instruction ID: faa3ad7fb3f06fd9cefef69d2ff06faad0f6c919434d18f693af5da23afe72f0
                                                                            • Opcode Fuzzy Hash: 6a27fea1a926512d02433ca9b7be287444b10faaab3b5a6219b0cfc7403d31dc
                                                                            • Instruction Fuzzy Hash: A2F08C53B019A08ADE14EE2BDC9026C5720EFA4F99B080231DF9D4BB1ADF21C8A5C300
                                                                            Function 663B833C Relevance: 6.3, APIs: 5, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: f14fa5fa203be9b158a2061561a9c2646304026a93660e4a6bab94bd98f7faf9
                                                                            • Instruction ID: 30d886fb21cf4659cc5aff873dd81483cc3a0cdf76b69ba1e5e6986c3ef0511a
                                                                            • Opcode Fuzzy Hash: f14fa5fa203be9b158a2061561a9c2646304026a93660e4a6bab94bd98f7faf9
                                                                            • Instruction Fuzzy Hash: C6E02F5261044481DF14FF76DC9212C5764EBE4F4CB141131CADD8B21BCE10C9A1C340
                                                                            Function 663FA0BC Relevance: 6.3, APIs: 5, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 6a112e658d7c603a2f93fa6f68a349f33fe783114d3f5d24ff8ef3f8723c09e6
                                                                            • Instruction ID: 5f3687a11747655493a72f78aba329bf501776e3534b28ad087f1b6292109eee
                                                                            • Opcode Fuzzy Hash: 6a112e658d7c603a2f93fa6f68a349f33fe783114d3f5d24ff8ef3f8723c09e6
                                                                            • Instruction Fuzzy Hash: ECE0FEA262148481DA00EE76DCA236C97A0E7A4F88F041132CECD8A22BCE10CA618310
                                                                            Function 6638C29C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: NTFS$There are lost files
                                                                            • API String ID: 0-3686549613
                                                                            • Opcode ID: 4e1a37018e0f7691f2d0447e26db0f1b191be352c50d81993e1c8b539c0ac981
                                                                            • Instruction ID: 10c5060a93138cb96b8e5e52c7856fa957c5379ec3fd66d3946a871f604f1960
                                                                            • Opcode Fuzzy Hash: 4e1a37018e0f7691f2d0447e26db0f1b191be352c50d81993e1c8b539c0ac981
                                                                            • Instruction Fuzzy Hash: 3071E73362868196DF109B2AD8406DEBB71F7D2B88F50432AD69D47E68DB3ACD4DC740
                                                                            Function 00007FFE11594B90 Relevance: 6.2, APIs: 4, Instructions: 184COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$BuffChar
                                                                            • String ID:
                                                                            • API String ID: 1655312534-0
                                                                            • Opcode ID: 86d40edd8813d819b9800d60edac61a8c63e7cd1b5e967f7d2af1e360d49f975
                                                                            • Instruction ID: 3b5e8ccb566c2cf9abd39e3daff38baa021c3f373b90cfad57319c20963086e3
                                                                            • Opcode Fuzzy Hash: 86d40edd8813d819b9800d60edac61a8c63e7cd1b5e967f7d2af1e360d49f975
                                                                            • Instruction Fuzzy Hash: DC61A162F14F6688FF108BA6D5542AC276ABB04BB8F504671DE2E17BF9DF7C98418301
                                                                            Function 00007FFE115963A0 Relevance: 6.2, APIs: 4, Instructions: 176COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide
                                                                            • String ID:
                                                                            • API String ID: 3586323037-0
                                                                            • Opcode ID: c13e3a10a05bf0e81e2d3d0af6c029e65ea75312eefedb76ca20212d619574b4
                                                                            • Instruction ID: 4177d535ede6f45ab48487d5718d36ace56f58f85250c1ff0be03bdbcca8707b
                                                                            • Opcode Fuzzy Hash: c13e3a10a05bf0e81e2d3d0af6c029e65ea75312eefedb76ca20212d619574b4
                                                                            • Instruction Fuzzy Hash: D451E122B18E4585EB04DB23A5442A962AABB08BF0F944670EE6E477F5DF3CD095C300
                                                                            Function 6635648C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: [LONG_PATH]
                                                                            • API String ID: 1294909896-2829221829
                                                                            • Opcode ID: 578831b39e454ee51bfc4343630e6012d757e8bbb0d7823f6bea3fecaa307ed5
                                                                            • Instruction ID: 31295dfb5b4606953c5fef8fb490d85709ed97fcf4b2f7d542ab6cabbde9c04f
                                                                            • Opcode Fuzzy Hash: 578831b39e454ee51bfc4343630e6012d757e8bbb0d7823f6bea3fecaa307ed5
                                                                            • Instruction Fuzzy Hash: BF41C47321564491CA20EF26D88059EBB60F7957F8F455322EBAE436B8DF38C5AAC700
                                                                            Function 00007FFE1158CE70 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: FoldString$Concurrency::cancel_current_taskVersion_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 879215400-0
                                                                            • Opcode ID: 6eb4a9e0408cf57533852787eba350946672cb19661b072bf984af64d0d9c87f
                                                                            • Instruction ID: d261abc864dbca364a716771d426f84072d9727b83e2976af7e2a8bbb478a4ed
                                                                            • Opcode Fuzzy Hash: 6eb4a9e0408cf57533852787eba350946672cb19661b072bf984af64d0d9c87f
                                                                            • Instruction Fuzzy Hash: 0E41B232B28A4241FB148B13E5446A9A69AFB85BF0F104775EABD47BF5DF3CD1908740
                                                                            Function 66398E10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID: .rpm
                                                                            • API String ID: 1294909896-719380284
                                                                            • Opcode ID: 859e7c0009211af151c53caaeb2e4f631e092a0a1f9e5a2c72421631d551bf1e
                                                                            • Instruction ID: 933619aa8135823424885eac22b38f8357583333cab6e7fb55c6a4e489468068
                                                                            • Opcode Fuzzy Hash: 859e7c0009211af151c53caaeb2e4f631e092a0a1f9e5a2c72421631d551bf1e
                                                                            • Instruction Fuzzy Hash: 2541DB23204540B0DA10DB64EC5439EEBA2E7D179CF906712D59A466BCFF79C64BCF40
                                                                            Function 663A877C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp$memmove
                                                                            • String ID: regi
                                                                            • API String ID: 848149194-2965150300
                                                                            • Opcode ID: 33d481057d35c271e1e0c917d133c4eb0897bb09f9462883e305c729538c29a7
                                                                            • Instruction ID: 28d90a5f22eb0bff32c1668a95cadfb6761393920adb1065fb32400f11bc5672
                                                                            • Opcode Fuzzy Hash: 33d481057d35c271e1e0c917d133c4eb0897bb09f9462883e305c729538c29a7
                                                                            • Instruction Fuzzy Hash: 8A3123A3A187C4E6E7218F28D40079A7B75FB09B8CF048214DE9807645DF3FC299EB81
                                                                            Function 00007FFE115899B0 Relevance: 6.1, APIs: 4, Instructions: 96fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 3823481717-0
                                                                            • Opcode ID: dbcabb81a7521f2f4766c9741d9be30ad9240f44d3c455f8d4be5198783c36b2
                                                                            • Instruction ID: 5b694bb39123e6f3b8cf99ca6c915ce8a961327274fb07eb2b49200e3192d22c
                                                                            • Opcode Fuzzy Hash: dbcabb81a7521f2f4766c9741d9be30ad9240f44d3c455f8d4be5198783c36b2
                                                                            • Instruction Fuzzy Hash: 9E419362A18F8281EF108B17F44526EB365FBC5BA4F505275EADD06AB9EF7CD480C604
                                                                            Function 00007FFE11589170 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                            • String ID:
                                                                            • API String ID: 2359106489-0
                                                                            • Opcode ID: 300f923eb8c32307b27d2a1ea14baa7e7248fd283a4a3b36947ee03364d88d66
                                                                            • Instruction ID: b72f342803c715835b9d4e10e853f5a6de5720ddfcc03e105480925280d352a8
                                                                            • Opcode Fuzzy Hash: 300f923eb8c32307b27d2a1ea14baa7e7248fd283a4a3b36947ee03364d88d66
                                                                            • Instruction Fuzzy Hash: 5D31D322A0CE8281EB209B27B44527E73A9FFC47B4F504271EA8E466F5EF2CD4818600
                                                                            Function 00007FFE115AEF58 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFE115ABAFB), ref: 00007FFE115AEF71
                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFE115ABAFB), ref: 00007FFE115AEFD3
                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFE115ABAFB), ref: 00007FFE115AF00D
                                                                            • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFE115ABAFB), ref: 00007FFE115AF037
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                            • String ID:
                                                                            • API String ID: 1557788787-0
                                                                            • Opcode ID: dee6654cfae804b3132b253b5fa88dac4e40e145f1df7829af23917f43b998e6
                                                                            • Instruction ID: f45801a3bf2ff545057a06d9a125645e74fce497b43de2b47cc60db1655d6517
                                                                            • Opcode Fuzzy Hash: dee6654cfae804b3132b253b5fa88dac4e40e145f1df7829af23917f43b998e6
                                                                            • Instruction Fuzzy Hash: 3B215021F48F9181EB249F23B44002DAAA9FB54BE0B094175DE9E63BF4DF3CE4529704
                                                                            Function 66346264 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 66346120: FindClose.KERNEL32 ref: 66346132
                                                                            • SetLastError.KERNEL32 ref: 66346291
                                                                            • FindFirstStreamW.KERNEL32 ref: 663462B3
                                                                            • GetLastError.KERNEL32 ref: 663462C1
                                                                            • free.MSVCRT ref: 66346313
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFindLast$CloseFirstStreamfree
                                                                            • String ID:
                                                                            • API String ID: 428924562-0
                                                                            • Opcode ID: 9cbd8ade59da9d737c29f006beac25d5d2a3761fc66177c03c3f4e27be94aeb5
                                                                            • Instruction ID: 04c0b9373ed2b903f2dfc6d8bd9a98eb776d33be8a2061f821f0df119e9d16e0
                                                                            • Opcode Fuzzy Hash: 9cbd8ade59da9d737c29f006beac25d5d2a3761fc66177c03c3f4e27be94aeb5
                                                                            • Instruction Fuzzy Hash: 95119922604A8096CA21AF26EC1039D97A4FBD7778F544325DEF9476E4DF3AC549C300
                                                                            Function 00007FFE115AC924 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$abort
                                                                            • String ID:
                                                                            • API String ID: 1447195878-0
                                                                            • Opcode ID: 08784fc8b292f19ac5547691b67b61177a39c599a541172f236aefb3c32fe9a8
                                                                            • Instruction ID: 4a092f0ea7ade8c5171c9c16282962060d6f40affdcd85de1ced46c010d20a12
                                                                            • Opcode Fuzzy Hash: 08784fc8b292f19ac5547691b67b61177a39c599a541172f236aefb3c32fe9a8
                                                                            • Instruction Fuzzy Hash: BE017C20F89E0246FB58A733B5551BC599AAF84BF0F1444B8DA5F037F6EE2CF8454200
                                                                            Function 663463F4 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,66345B34), ref: 66346416
                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,66345B34), ref: 6634644D
                                                                            • free.MSVCRT ref: 6634645A
                                                                            • free.MSVCRT ref: 66346468
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFilefree
                                                                            • String ID:
                                                                            • API String ID: 1936811914-0
                                                                            • Opcode ID: fd67fda6d26015a82386d23b2fd3a0fc4f73253f01839acdcc1f7a56d397aab5
                                                                            • Instruction ID: da612d77fb425c34b8cae0d0e10896c5b7321276facf0864ad0105884a3ae159
                                                                            • Opcode Fuzzy Hash: fd67fda6d26015a82386d23b2fd3a0fc4f73253f01839acdcc1f7a56d397aab5
                                                                            • Instruction Fuzzy Hash: 99F0496260464445CD20AF25ADA022D96B1D7C6BF9F540321DEF9877E5CF19C595C700
                                                                            Function 00007FFE1158DF90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                            • String ID: Crypt32.dll
                                                                            • API String ID: 3668304517-3851855693
                                                                            • Opcode ID: ae66d80e9411b94e19130e0d5955010716b91d6903698893c038f2b9cd84dca9
                                                                            • Instruction ID: 5a3e64837000cb68062b1071582c6a64a645fa7c5876f0f10cf5e38b2e904132
                                                                            • Opcode Fuzzy Hash: ae66d80e9411b94e19130e0d5955010716b91d6903698893c038f2b9cd84dca9
                                                                            • Instruction Fuzzy Hash: 1D51A232B18E9185EF109F17E5492AA63A6FB44BA4F404271EA6D07BF9DF3CE481D700
                                                                            Function 6636A034 Relevance: 5.4, APIs: 4, Instructions: 370COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f7331f348aa0d7181e3b9bb019d25a6c2cfd33442ce5ff251f1e5b12def68f21
                                                                            • Instruction ID: 8d132de02401c48f2ccbedaa9913b7d3b327cc3a6bd0bb4a2f017449ae5a579f
                                                                            • Opcode Fuzzy Hash: f7331f348aa0d7181e3b9bb019d25a6c2cfd33442ce5ff251f1e5b12def68f21
                                                                            • Instruction Fuzzy Hash: EAF18973614BA487CB14CF2AE48470D7775F388B94F219216DB9A87B58DF7AC891CB80
                                                                            Function 00007FFE115AB960 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleName_invalid_parameter_noinfo
                                                                            • String ID: C:\Program Files\Beyond Compare 5\BCompare.exe
                                                                            • API String ID: 3307058713-3902893231
                                                                            • Opcode ID: fbccd392b348cb805533c442fd7c2c5c302ee3e26b83fb2f62eb6fdfa425dd65
                                                                            • Instruction ID: 76d49678cfd66c55494c87c4df6eacc5a4b5b87a631df68a6a20c34870e5ca43
                                                                            • Opcode Fuzzy Hash: fbccd392b348cb805533c442fd7c2c5c302ee3e26b83fb2f62eb6fdfa425dd65
                                                                            • Instruction Fuzzy Hash: 8541AB32A48E528AEB15DF23F8501BD6BACEF44BE4B444475EA0E43BB5DE3DE4418780
                                                                            Function 00007FFE1157EDA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                            • String ID: Crypt32.dll
                                                                            • API String ID: 73155330-3851855693
                                                                            • Opcode ID: 56b3b90e92d3baf9d5d951d3edf528ccf2c135dd8ceef0d8db3ce4e955f15b0d
                                                                            • Instruction ID: 06a578bcd647f5172958d2902beed6625066cd0b941c9e0f3e4090a115f31607
                                                                            • Opcode Fuzzy Hash: 56b3b90e92d3baf9d5d951d3edf528ccf2c135dd8ceef0d8db3ce4e955f15b0d
                                                                            • Instruction Fuzzy Hash: 1F31CF22A09B6185EB149F16E40527922A8FB04BB4FA40F70DE7E07BF1DF3DE4929340
                                                                            Function 00007FFE115958E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$CreatePriority
                                                                            • String ID: CreateThread failed
                                                                            • API String ID: 2610526550-3849766595
                                                                            • Opcode ID: 2865cfa915fdc34b2c1dbb1eb108f644a0ae28225560d3f24ea1faa7985f2bd0
                                                                            • Instruction ID: 1b19c6c49666d83787f93211a1cd870122e74feb7992427bf96a7eafe91f328f
                                                                            • Opcode Fuzzy Hash: 2865cfa915fdc34b2c1dbb1eb108f644a0ae28225560d3f24ea1faa7985f2bd0
                                                                            • Instruction Fuzzy Hash: 79318172A15F4286E704DF12E4402AA73A9FB84B78F584176DA8E47779DF3CE452C700
                                                                            Function 00007FFE115AD030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandleType
                                                                            • String ID: @
                                                                            • API String ID: 3000768030-2766056989
                                                                            • Opcode ID: e35b2ef479dcdc3e4ef56d40113991ab1909d6bcba62c7fed988bd456bca5534
                                                                            • Instruction ID: f7e6b85540d185f7798adaf7c46874d0c72b1c92c7afeab8022d6ab2f3707290
                                                                            • Opcode Fuzzy Hash: e35b2ef479dcdc3e4ef56d40113991ab1909d6bcba62c7fed988bd456bca5534
                                                                            • Instruction Fuzzy Hash: 0F21D722A88F4242EB609B36A49013D6669FB857B4F241375D67F077F4DE3DE882D300
                                                                            Function 00007FFE115A6D8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE115A53BA), ref: 00007FFE115A6DD0
                                                                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE115A53BA), ref: 00007FFE115A6E16
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2968063961.00007FFE11571000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE11570000, based on PE: true
                                                                            • Associated: 00000006.00000002.2968040272.00007FFE11570000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968535949.00007FFE115B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968654749.00007FFE115C4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968705397.00007FFE115CC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2968730486.00007FFE115CE000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_7ffe11570000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFileHeaderRaise
                                                                            • String ID: csm
                                                                            • API String ID: 2573137834-1018135373
                                                                            • Opcode ID: d75564f60b057534dfb7159ab4c8466859545659ef1fae75b0d7417bdb47e4a5
                                                                            • Instruction ID: 503dc7cac27897fc0616e6020ec68ccefe51c7c35409d2007f337ab0d1561749
                                                                            • Opcode Fuzzy Hash: d75564f60b057534dfb7159ab4c8466859545659ef1fae75b0d7417bdb47e4a5
                                                                            • Instruction Fuzzy Hash: 8A114C32608F4582EB608F26F4402697BA9FB88BA4F184270EE8D07774DF3CD591CB40
                                                                            Function 66348014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: AllocExceptionStringThrow
                                                                            • String ID: out of memory
                                                                            • API String ID: 3773818493-2599737071
                                                                            • Opcode ID: 241dc2bc5c895969f5d37e122532baa299111cc9dcb8feeef8bbf977748da980
                                                                            • Instruction ID: 3d26fecbe29e09cdb1ede71df8dba24ad18868295a44864fb82eb4a6c04f06be
                                                                            • Opcode Fuzzy Hash: 241dc2bc5c895969f5d37e122532baa299111cc9dcb8feeef8bbf977748da980
                                                                            • Instruction Fuzzy Hash: 3EF0A022A12745A6DF04AF20E840709A3F1AB44708F688028CA0C47324EF7BC89DC351
                                                                            Function 663705F8 Relevance: 5.3, APIs: 4, Instructions: 261COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: adcd57e6236d1fd39dd24921a67d36f0d80fa52418a415ac192cfeedf3f9560e
                                                                            • Instruction ID: f77a621d88ac28dc9e026cbec6e539795ea59ac2a812d64bb98677d287baf488
                                                                            • Opcode Fuzzy Hash: adcd57e6236d1fd39dd24921a67d36f0d80fa52418a415ac192cfeedf3f9560e
                                                                            • Instruction Fuzzy Hash: A791D6A2664650D1EB20DB28D85075FAF71F7A2788F904212DACD4397CDB3BD58ACBC4
                                                                            Function 663BE390 Relevance: 5.1, APIs: 4, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionThrowfree
                                                                            • String ID:
                                                                            • API String ID: 2053033275-0
                                                                            • Opcode ID: 17cd2a33d9a677b4965688700cab69152195a2a365e9c35dbdfe2cd1eaba8c8e
                                                                            • Instruction ID: 1e005eae4405876cc82ab0a533df560605b9ea125f293888e0f5ee496daa7b72
                                                                            • Opcode Fuzzy Hash: 17cd2a33d9a677b4965688700cab69152195a2a365e9c35dbdfe2cd1eaba8c8e
                                                                            • Instruction Fuzzy Hash: 79414A7360178086DB15DF39C8906AC7BAAF794F8CF588265CE9907768DF38C499C750
                                                                            Function 663EA69C Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: d39ac36b5469e367bb22b2bafdf412b532a8257d0aaa36320b4e8b904c5bcba2
                                                                            • Instruction ID: 0feff24555c2c49d26cd813db8854e74291e4d5a594fc80aea5ebb357192aa42
                                                                            • Opcode Fuzzy Hash: d39ac36b5469e367bb22b2bafdf412b532a8257d0aaa36320b4e8b904c5bcba2
                                                                            • Instruction Fuzzy Hash: FB213EB760565087D7209F19D51031D7BB0F794F68F214326CEA90B7A8DB3AC547C760
                                                                            Function 663CA488 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 663CA1DC: memmove.MSVCRT ref: 663CA20D
                                                                              • Part of subcall function 663CA1DC: free.MSVCRT ref: 663CA215
                                                                              • Part of subcall function 663CA1DC: memmove.MSVCRT ref: 663CA24D
                                                                              • Part of subcall function 663CA1DC: free.MSVCRT ref: 663CA256
                                                                            • memmove.MSVCRT ref: 663CA4C7
                                                                            • free.MSVCRT ref: 663CA4D0
                                                                              • Part of subcall function 663442CC: malloc.MSVCRT ref: 663442DC
                                                                            • memmove.MSVCRT ref: 663CA509
                                                                            • free.MSVCRT ref: 663CA512
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: freememmove$malloc
                                                                            • String ID:
                                                                            • API String ID: 531908557-0
                                                                            • Opcode ID: 721792b1eb51b0833f2f6e49995398899bcefdc8c5171b35295dcfad4ef8368a
                                                                            • Instruction ID: 8c9e609bbc43fa99d5915e59a47050f7bed181e2f66171f0efef35d599c741a8
                                                                            • Opcode Fuzzy Hash: 721792b1eb51b0833f2f6e49995398899bcefdc8c5171b35295dcfad4ef8368a
                                                                            • Instruction Fuzzy Hash: FD0139B2B005508B8B60DF7AE88145C77A4EB88FD8711A225DE5D97308DF21D8C1CB41
                                                                            Function 663CA270 Relevance: 5.0, APIs: 4, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: freememmove$malloc
                                                                            • String ID:
                                                                            • API String ID: 531908557-0
                                                                            • Opcode ID: 76a767ea90338129d983d04dce5133758201223f9e5f1132d7c8a9ae3a11fab6
                                                                            • Instruction ID: 4495d7c3ab656096d3919043a7b058efa2cdc5d5372b34deb4f981a98ce552aa
                                                                            • Opcode Fuzzy Hash: 76a767ea90338129d983d04dce5133758201223f9e5f1132d7c8a9ae3a11fab6
                                                                            • Instruction Fuzzy Hash: E0012972B01654878B14DFABE8A185CB7E0E798FD87048425DE588B308DF36DC92CB91
                                                                            Function 663CA1DC Relevance: 5.0, APIs: 4, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: freememmove$malloc
                                                                            • String ID:
                                                                            • API String ID: 531908557-0
                                                                            • Opcode ID: 8da1da8d1a68a73113b88a56e88458f67a7b91c0f621b5c270a084b0de2af1a5
                                                                            • Instruction ID: ba3cf6b27eb30439c01b6c011ce992f8642a339c9243a777f3f3e649c9b0fc5d
                                                                            • Opcode Fuzzy Hash: 8da1da8d1a68a73113b88a56e88458f67a7b91c0f621b5c270a084b0de2af1a5
                                                                            • Instruction Fuzzy Hash: 40012972B01654878B14DFABE89141DB7E0E784FD87048425DE688B308DE36DC92CB91
                                                                            Function 66374E18 Relevance: 5.0, APIs: 4, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 09b6ed694bac705ff811da03414ff14c8e2a5a365502c69455700bacfc31cdd4
                                                                            • Instruction ID: 093d3eebc4349941941c816683ce4edbbcb0869427893103df9740a7ec874a47
                                                                            • Opcode Fuzzy Hash: 09b6ed694bac705ff811da03414ff14c8e2a5a365502c69455700bacfc31cdd4
                                                                            • Instruction Fuzzy Hash: AC017122701A8496DA24EE36DD902196B60FB91FB4B084331CFBD17B96CF25D525C304
                                                                            Function 6637E718 Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 0689ed08d5eb71f5f5b4935f3e4559cd79c163fed65c681926591bf661a63884
                                                                            • Instruction ID: cd48a34f05d4915f99d2d4832a8b8d27e9e0f9dc76e0c96226d1ac47d3e68113
                                                                            • Opcode Fuzzy Hash: 0689ed08d5eb71f5f5b4935f3e4559cd79c163fed65c681926591bf661a63884
                                                                            • Instruction Fuzzy Hash: A6F0BE63B11AC4899A10FE2BED912AC9760EB64FACB0C4231DF9C0B30ADF20C961C300
                                                                            Function 6637E780 Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 4651509f211976c1f46d52ac6a95de06a27747100087636b5084e2fbf4828632
                                                                            • Instruction ID: 2ccf7df5eec5fdbfc70afbc9f10ac0fb686de63414d0331b2b2e609646040215
                                                                            • Opcode Fuzzy Hash: 4651509f211976c1f46d52ac6a95de06a27747100087636b5084e2fbf4828632
                                                                            • Instruction Fuzzy Hash: D6F0B493B01AC48ADA10EE66EC8029C5B10EF54FA9F1C4230DF5C07746EF20C855C300
                                                                            Function 6637E7E8 Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 5001b256a4e10de15744d2e1bf610619c378dd355e345c7e2a9997ae9be7f251
                                                                            • Instruction ID: 26ffd00ac558ac9787f87a97dbc0fe01b9b7265fae9d44c7cb5cb268d542a044
                                                                            • Opcode Fuzzy Hash: 5001b256a4e10de15744d2e1bf610619c378dd355e345c7e2a9997ae9be7f251
                                                                            • Instruction Fuzzy Hash: CCF0B453B016C4889A10EE6BDC9129C5B60DF64FE9B0C4231DF4D0734ADF10C9A2C300
                                                                            Function 663F609C Relevance: 5.0, APIs: 4, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.2952666186.0000000066341000.00000020.00000001.01000000.0000000C.sdmp, Offset: 66340000, based on PE: true
                                                                            • Associated: 00000006.00000002.2952620701.0000000066340000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2954770938.0000000066488000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955383166.00000000664E2000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                            • Associated: 00000006.00000002.2955510293.00000000664F0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_66340000_BCompare.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 25a5c249c24e03fb9c9a1033edefd8dd0351485de3c8c57970b32cccd422b3a9
                                                                            • Instruction ID: b618d04bad9fed39d3b3be9cc8c3357d1fe552dd89434aa60f11a9d1b97c2e13
                                                                            • Opcode Fuzzy Hash: 25a5c249c24e03fb9c9a1033edefd8dd0351485de3c8c57970b32cccd422b3a9
                                                                            • Instruction Fuzzy Hash: F4D067A262148481DF44FF76DCA222C97A4E7E4F8CF041131CECD8B21BCE10CAA1C300